[Regression fix] [Data URI parser] Accept data URI with invalid mediatype data

net/base/data_url.h

Index: net/base/data_url.h
diff --git a/net/base/data_url.h b/net/base/data_url.h
index 3c1e3033dc6fa2c3368fa24a98af13fee601aab0..ee9c6d31dbf2f27964912dfb8928823588a7d100 100644
--- a/net/base/data_url.h
+++ b/net/base/data_url.h
@@ -35,8 +35,23 @@ class NET_EXPORT DataURL {
   // decoded data (e.g.., if the data URL specifies base64 encoding, then the
   // returned data is base64 decoded, and any %-escaped bytes are unescaped).
   //
-  // If the URL is malformed, then this method will return false, and its
-  // output variables will remain unchanged.  On success, true is returned.
+  // If the media type value doesn't match the media-type production defined in
+  // RFC 7231, mime_type will be set to the default value "text/plain". We
+  // don't simply fail for this grammar violation since Chromium had been
+  // accepting such invalid values. For example, <img> element with the src
+  // attribute set to a data URL with an invalid media type "image" (without a
+  // slash and subtype) had been displayed. However, the value this method will
+  // store in mime_type argument can be used for generating other headers, etc.
+  // This could lead to security vulnerability. We don't want to accept
+  // arbitrary value and ask each caller to validate the return value.
+  //
+  // If the charset parameter is specified but its value doesn't match the
+  // token production defined in RFC 7230, this method simply fails and returns
+  // false.
+  //
+  // If there's any other grammar violation in the URL, then this method will
+  // return false. Output variables may be changed and contain invalid data. On
+  // success, true is returned.
   //
   // OPTIONAL: If |data| is NULL, then the <data> section will not be parsed
   //           or validated.