diff --git a/wp-includes/rest-api.php b/wp-includes/rest-api.php
index e6cdc3a959..ec7c50d27b 100644
--- a/wp-includes/rest-api.php
+++ b/wp-includes/rest-api.php
@@ -525,7 +525,11 @@ function rest_send_cors_headers( $value ) {
 	$origin = get_http_origin();
 
 	if ( $origin ) {
-		header( 'Access-Control-Allow-Origin: ' . esc_url_raw( $origin ) );
+		// Requests from file:// and data: URLs send "Origin: null"
+		if ( 'null' !== $origin ) {
+			$origin = esc_url_raw( $origin );
+		}
+		header( 'Access-Control-Allow-Origin: ' . $origin );
 		header( 'Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE' );
 		header( 'Access-Control-Allow-Credentials: true' );
 		header( 'Vary: Origin' );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index ed87ee68b9..e9dce89d8e 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.8-alpha-40599';
+$wp_version = '4.8-alpha-40600';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.