net: don't check revocation when fetching PAC files.

net/proxy/proxy_script_fetcher_impl.cc

Index: net/proxy/proxy_script_fetcher_impl.cc
diff --git a/net/proxy/proxy_script_fetcher_impl.cc b/net/proxy/proxy_script_fetcher_impl.cc
index c276c30e48308d41cd623273c9a7e985deae0943..d0b9d6ae3d369c8133f5ae4b9be2d8fc06a51fe0 100644
--- a/net/proxy/proxy_script_fetcher_impl.cc
+++ b/net/proxy/proxy_script_fetcher_impl.cc
@@ -145,7 +145,12 @@ int ProxyScriptFetcherImpl::Fetch(const GURL& url,
   // Also disable the use of the disk cache. The cache is disabled so that if
   // the user switches networks we don't potentially use the cached response
   // from old network when we should in fact be re-fetching on the new network.
-  cur_request_->set_load_flags(LOAD_BYPASS_PROXY | LOAD_DISABLE_CACHE);
+  // If the PAC script is hosted on an HTTPS server we bypass revocation
+  // checking in order to avoid a circular dependency when attempting to fetch
+  // the OCSP response or CRL. We could make the revocation check go direct but
+  // the proxy might be the only way to the outside world.
+  cur_request_->set_load_flags(LOAD_BYPASS_PROXY | LOAD_DISABLE_CACHE |
+                               LOAD_DISABLE_CERT_REVOCATION_CHECKING);
 
   // Save the caller's info for notification on completion.
   callback_ = callback;