diff --git a/components/script/cors.rs b/components/script/cors.rs
index 8be1ec9d6d2b..21c3d3b38a7c 100644
--- a/components/script/cors.rs
+++ b/components/script/cors.rs
@@ -64,15 +64,22 @@ impl CORSRequest {
                      destination: Url,
                      mode: RequestMode,
                      method: Method,
-                     headers: Headers)
+                     headers: Headers,
+                     same_origin_data_url_flag: bool)
                      -> Result<Option<CORSRequest>, ()> {
         if referer.scheme == destination.scheme && referer.host() == destination.host() &&
            referer.port() == destination.port() {
             return Ok(None); // Not cross-origin, proceed with a normal fetch
         }
         match &*destination.scheme {
-            // TODO: If the request's same origin data url flag is set (which isn't the case for XHR)
-            // we can fetch a data URL normally. about:blank can also be fetched by XHR
+            // As per (https://fetch.spec.whatwg.org/#main-fetch 5.1.9), about URLs can be fetched
+            // the same as a basic request.
+	    // TODO: (security-sensitive) restrict the available pages to about:blank and
+	    // about:unicorn (See https://fetch.spec.whatwg.org/#concept-basic-fetch).
+            "about" => Ok(None),
+            // As per (https://fetch.spec.whatwg.org/#main-fetch 5.1.9), data URLs can be fetched
+            // the same as a basic request if the request's same-origin data-URL flag is set.
+            "data" if same_origin_data_url_flag => Ok(None),
             "http" | "https" => {
                 let mut req = CORSRequest::new(referer, destination, mode, method, headers);
                 req.preflight_flag = !is_simple_method(&req.method) ||
diff --git a/components/script/dom/xmlhttprequest.rs b/components/script/dom/xmlhttprequest.rs
index 318339127951..6d3ea9320999 100644
--- a/components/script/dom/xmlhttprequest.rs
+++ b/components/script/dom/xmlhttprequest.rs
@@ -626,7 +626,8 @@ impl XMLHttpRequestMethods for XMLHttpRequest {
                                                   load_data.url.clone(),
                                                   mode,
                                                   load_data.method.clone(),
-                                                  combined_headers);
+                                                  combined_headers,
+                                                  true);
         match cors_request {
             Ok(None) => {
                 let mut buf = String::new();
@@ -1301,7 +1302,8 @@ impl XMLHttpRequest {
               global: GlobalRef) -> ErrorResult {
         let cors_request = match cors_request {
             Err(_) => {
-                // Happens in case of cross-origin non-http URIs
+                // Happens in case of unsupported cross-origin URI schemes.
+                // Supported schemes are http, https, data, and about.
                 self.process_partial_response(XHRProgress::Errored(
                     self.generation_id.get(), Error::Network));
                 return Err(Error::Network);