diff --git services/network/public/cpp/initiator_lock_compatibility.cc services/network/public/cpp/initiator_lock_compatibility.cc
index 3215c667d8a1..c305faab1e0d 100644
--- services/network/public/cpp/initiator_lock_compatibility.cc
+++ services/network/public/cpp/initiator_lock_compatibility.cc
@@ -37,20 +37,26 @@ InitiatorLockCompatibility VerifyRequestInitiatorLock(
   if (initiator.opaque() || (initiator == lock))
     return InitiatorLockCompatibility::kCompatibleLock;
 
-  // TODO(lukasza, nasko): https://crbug.com/888079: Return kIncorrectLock if
+  // TODO(lukasza): https://crbug.com/891872: Return kIncorrectLock if
   // the origins do not match exactly in the previous if statement.  This should
-  // be possible to do once we no longer fall back to site_url and have
-  // request_initiator_*origin*_lock instead.  In practice, the fallback can go
-  // away after we no longer vend process-wide factory: https://crbug.com/891872
+  // be possible to do once we no longer vend process-wide factory.
   if (!initiator.opaque() && !lock.opaque() &&
       initiator.scheme() == lock.scheme() &&
-      initiator.GetURL().SchemeIsHTTPOrHTTPS() &&
-      !initiator.GetURL().HostIsIPAddress()) {
-    std::string lock_domain = lock.host();
-    if (!lock_domain.empty() && lock_domain.back() == '.')
-      lock_domain.erase(lock_domain.length() - 1);
-    if (initiator.DomainIs(lock_domain))
-      return InitiatorLockCompatibility::kCompatibleLock;
+      initiator.GetURL().SchemeIsHTTPOrHTTPS()) {
+    if (initiator.GetURL().HostIsIPAddress()) {
+      // For IP addresses, we require host equality (allowing ports to differ,
+      // since site_url ignores ports).  See also https://crbug.com/1051674.
+      if (initiator.host() == lock.host())
+        return InitiatorLockCompatibility::kCompatibleLock;
+    } else {
+      // For non-IP-address origins, we require sites (eTLD+1) to match
+      // (again ignoring ports).
+      std::string lock_domain = lock.host();
+      if (!lock_domain.empty() && lock_domain.back() == '.')
+        lock_domain.erase(lock_domain.length() - 1);
+      if (initiator.DomainIs(lock_domain))
+        return InitiatorLockCompatibility::kCompatibleLock;
+    }
   }
 
   return InitiatorLockCompatibility::kIncorrectLock;