data: URLs aren't secure except for being isolated origins. We don't know if the data URL originated from an http page, as opposed to https. We should consider removing data from kSecureSchemes in url_util.cc. 

The good news is that doing this seems to only break two tests:
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_rel_ng/builds/376516