Alternate-Protocol was failing when going through Digest authenticating proxy.

net/http/http_network_transaction.cc

Index: net/http/http_network_transaction.cc
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc
index ee98ccab55b4238305eb796a23b8425bbf6b5ccb..575e7f8e9c48964bf37f2090891e3cea30bc2d21 100644
--- a/net/http/http_network_transaction.cc
+++ b/net/http/http_network_transaction.cc
@@ -194,6 +194,17 @@ void ProcessAlternateProtocol(const HttpResponseHeaders& headers,
   alternate_protocols->SetAlternateProtocolFor(host_port, port, protocol);
 }
 
+GURL UpgradeUrlToHttps(const GURL& original_url) {
+  GURL::Replacements replacements;
+  // new_sheme and new_port need to be in scope here because GURL::Replacements
+  // references the memory contained by them directly.
+  const std::string new_scheme = "https";
+  const std::string new_port = IntToString(443);
+  replacements.SetSchemeStr(new_scheme);
+  replacements.SetPortStr(new_port);
+  return original_url.ReplaceComponents(replacements);
+}
+
 }  // namespace
 
 //-----------------------------------------------------------------------------
@@ -682,15 +693,7 @@ int HttpNetworkTransaction::DoResolveProxy() {
         endpoint_.set_port(alternate.port);
         alternate_protocol_ = alternate.protocol;
         alternate_protocol_mode_ = kUsingAlternateProtocol;
-
-        url_canon::Replacements<char> replacements;
-        replacements.SetScheme("https",
-                               url_parse::Component(0, strlen("https")));
-        const std::string port_str = base::IntToString(endpoint_.port());
-        replacements.SetPort(port_str.c_str(),
-                             url_parse::Component(0, port_str.size()));
-        alternate_endpoint_url =
-            curr_endpoint_url->ReplaceComponents(replacements);
+        alternate_endpoint_url = UpgradeUrlToHttps(*curr_endpoint_url);
         curr_endpoint_url = &alternate_endpoint_url;
       }
     }
@@ -779,9 +782,25 @@ int HttpNetworkTransaction::DoInitConnection() {
                             request_->referrer, disable_resolver_cache);
 
     if (proxy_info_.is_http()) {
+      GURL authentication_url = request_->url;
+      if (using_ssl_) {
+        if (!authentication_url.SchemeIs("https")) {
+          // If a proxy tunnel connection needs to be established due to
+          // an Alternate-Protocol, the URL needs to be changed to indicate
+          // https or digest authentication attempts will fail.
+          // For example, suppose the initial request was for
+          // "http://www.example.com/index.html". If this is an SSL
+          // upgrade due to alternate protocol, the digest authorization
+          // should have a uri="www.example.com:443" field rather than a
+          // "/index.html" entry, even though the original request URL has not
+          // changed.
+          authentication_url = UpgradeUrlToHttps(authentication_url);
+        }
+      }
       establishing_tunnel_ = using_ssl_;
       http_proxy_params = new HttpProxySocketParams(proxy_tcp_params,
-                                                    request_->url, endpoint_,
+                                                    authentication_url,
+                                                    endpoint_,
                                                     session_, using_ssl_);
     } else {
       DCHECK(proxy_info_.is_socks());