Report second-level domains for UMA on pin failure.

net/base/transport_security_state.cc

Index: net/base/transport_security_state.cc
===================================================================
--- net/base/transport_security_state.cc	(revision 106614)
+++ net/base/transport_security_state.cc	(working copy)
@@ -21,6 +21,7 @@
 #include "base/json/json_writer.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/metrics/histogram.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_tokenizer.h"
@@ -37,6 +38,8 @@
 
 namespace net {
 
+static const char kPinFailure[] = "SSL.PinFailure";

[wtc, 2011/10/25 00:49:57]

Same here: please clarify what kind of pin failure this is.

+
 const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365;  // 1 year
 
 TransportSecurityState::TransportSecurityState(const std::string& hsts_hosts)
@@ -248,7 +251,7 @@
           continue;
         if (*tokenizer.token_begin() != '=')
           return false;
-        DCHECK(tokenizer.token().length() ==  1);
+        DCHECK(tokenizer.token().length() == 1);

[wtc, 2011/10/25 00:49:57]

Nit: it may be better to use DCHECK_EQ.  If you use DCHECK_EQ,
the constant 1 may need to be unsigned 1U.

         state = AFTER_MAX_AGE_EQUALS;
         break;
 
@@ -807,12 +810,79 @@
   return new_host;
 }
 
+typedef enum {

[wtc, 2011/10/25 00:49:57]

Can you document what this enum is for?

I guess the values of the constants in this enum must not
change.  If so, please document that.

[agl, 2011/10/25 15:00:01]

This typeful is significantly larger than the set of hosts for which we have
pinning. Since we wouldn't accept most of these hosts for pinning in any case,
is there any point in including them now?

+  DOMAIN_GOOGLE_COM = 0,

[wtc, 2011/10/25 00:49:57]

Unless our Style Guide requires this, it is not necessary
to initialize the first enum constant to 0 because that is
the default.

+  DOMAIN_ANDROID_COM,
+  DOMAIN_GOOGLE_ANALYTICS_COM,
+  DOMAIN_GOOGLEPLEX_COM,
+  DOMAIN_YTIMG_COM,
+  DOMAIN_GOOGLEUSERCONTENT_COM,
+  DOMAIN_YOUTUBE_COM,
+  DOMAIN_GOOGLEAPIS_COM,
+  DOMAIN_GOOGLEADSERVICES_COM,
+  DOMAIN_GOOGLECODE_COM,
+  DOMAIN_APPSPOT_COM,
+  DOMAIN_GOOGLESYNDICATION_COM,
+  DOMAIN_DOUBLECLICK_NET,
+  DOMAIN_GSTATIC_COM,
+  DOMAIN_GMAIL_COM,
+  DOMAIN_GOOGLEMAIL_COM,
+  DOMAIN_GOOGLEGROUPS_COM,
+
+  DOMAIN_PAYPAL_COM,
+  DOMAIN_ELANEX_BIZ,
+  DOMAIN_JOTTIT_COM,
+  DOMAIN_SUNSHINEPRESS_ORG,
+  DOMAIN_NOISEBRIDGE_NET,
+  DOMAIN_NEG9_ORG,
+  DOMAIN_RISEUP_NET,
+  DOMAIN_FACTOR_CC,
+  DOMAIN_MAYFIRST_ORG,
+  DOMAIN_SPLENDIDBACON_COM,
+  DOMAIN_OTTOSPORA_NL,
+  DOMAIN_PAYCHECKRECORDS_COM,
+  DOMAIN_LASTPASS_COM,
+  DOMAIN_KEYERROR_COM,
+  DOMAIN_ENTROPIA_DE,
+  DOMAIN_ROMAB_COM,
+  DOMAIN_LOGENTRIES_COM,
+  DOMAIN_STRIPE_COM,
+  DOMAIN_CLOUDSECURITYALLIANCE_ORG,
+  DOMAIN_SAPO_PT,
+  DOMAIN_MATTMCCUTCHEN_NET,
+  DOMAIN_BETNET_FR,
+  DOMAIN_UPROTECT_IT,
+  DOMAIN_SQUAREUP_COM,
+  DOMAIN_CERT_SE,
+  DOMAIN_CRYPTO_IS,
+  DOMAIN_BUTCHER_NAME,
+  DOMAIN_LINX_NET,
+  DOMAIN_DROPCAM_COM,
+  DOMAIN_INDOVINABANK_COM_VN,
+  DOMAIN_EPOXATE_COM,
+  DOMAIN_TORPROJECT_ORG,
+  DOMAIN_MONEYBOOKERS_COM,
+  DOMAIN_LEDGERSCOPE_NET,
+  DOMAIN_KYPS_NET,
+  DOMAIN_RECURLY_COM,
+  DOMAIN_GREPLIN_COM,
+  DOMAIN_NEARBUYSYSTEMS_COM,
+  DOMAIN_UBERTT_ORG,
+  DOMAIN_TWITTER_COM,
+  DOMAIN_TWIMG_COM,
+  DOMAIN_AKAMAIHD_NET,
+
+  // Boundary value for UMA_HISTOGRAM_ENUMERATION:
+  DOMAIN_NUM_EVENTS

[wtc, 2011/10/25 00:49:57]

NUM_EVENTS sounds strange because these aren't events.

+} LowResolutionDomainName;

[wtc, 2011/10/25 00:49:57]

  typedef enum {
    ...
  } LowResolutionDomainName;

is the C way.  In C++, you can simply say:

  enum LowResolutionDomainName {
    ...
  };

-- A C programmer

+
 struct HSTSPreload {
   uint8 length;
   bool include_subdomains;
   char dns_name[30];
   bool https_required;
   const char* const* required_hashes;
+  LowResolutionDomainName low_res_name;
 };
 
 static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries,
@@ -963,160 +1033,219 @@
 // slightly odd form removes the need for additional relocations records.
 static const struct HSTSPreload kPreloadedSTS[] = {
   // (*.)google.com, iff using SSL must use an acceptable certificate.
-  {12, true, "\006google\003com", false, kGoogleAcceptableCerts },
+  {12, true, "\006google\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {25, true, "\013pinningtest\007appspot\003com", false,
-      kTestAcceptableCerts },
+      kTestAcceptableCerts, DOMAIN_APPSPOT_COM },
   // Now we force HTTPS for subtrees of google.com.
-  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts },
-  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts },
+  {19, true, "\006health\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM  },
+  {21, true, "\010checkout\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {19, true, "\006chrome\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004docs\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {18, true, "\005sites\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {25, true, "\014spreadsheets\006google\003com", true,
-      kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
   {22, false, "\011appengine\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts },
-  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts },
-  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {22, true, "\011encrypted\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010accounts\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {21, true, "\010profiles\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {17, true, "\004mail\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {23, true, "\012talkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004talk\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   {29, true, "\020hostedtalkgadget\006google\003com", true,
-      kGoogleAcceptableCerts },
-  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_COM },
+  {17, true, "\004plus\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use HTTPS.
-  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts },
+  {20, true, "\006market\007android\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_ANDROID_COM },
   {26, true, "\003ssl\020google-analytics\003com", true,
-      kGoogleAcceptableCerts },
-  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts },
-  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts },
-  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts },
+      kGoogleAcceptableCerts, DOMAIN_GOOGLE_ANALYTICS_COM },
+  {18, true, "\005drive\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
+  {16, true, "\012googleplex\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEPLEX_COM },
+  {19, true, "\006groups\006google\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLE_COM },
   // Other Google-related domains that must use an acceptable certificate
   // iff using SSL.
-  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
-  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
-  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
-  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
-  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
-  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
-  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts },
+  {11, true, "\005ytimg\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YTIMG_COM },
+  {23, true, "\021googleusercontent\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEUSERCONTENT_COM },
+  {13, true, "\007youtube\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_YOUTUBE_COM },
+  {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEAPIS_COM },
+  {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEADSERVICES_COM },
+  {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLECODE_COM },
+  {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_APPSPOT_COM },
+  {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLESYNDICATION_COM },
+  {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts,
+      DOMAIN_DOUBLECLICK_NET },
+  {17, true, "\003ssl\007gstatic\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GSTATIC_COM },
   // Exclude the learn.doubleclick.net subdomain because it uses a different
   // CA.
-  {23, true, "\005learn\013doubleclick\003net", false, 0 },
+  {23, true, "\005learn\013doubleclick\003net", false, 0,
+      DOMAIN_DOUBLECLICK_NET },
   // Now we force HTTPS for other sites that have requested it.
-  {16, false, "\003www\006paypal\003com", true, 0 },
-  {16, false, "\003www\006elanex\003biz", true, 0 },
-  {12, true,  "\006jottit\003com", true, 0 },
-  {19, true,  "\015sunshinepress\003org", true, 0 },
-  {21, false, "\003www\013noisebridge\003net", true, 0 },
-  {10, false, "\004neg9\003org", true, 0 },
-  {12, true, "\006riseup\003net", true, 0 },
-  {11, false, "\006factor\002cc", true, 0 },
-  {22, false, "\007members\010mayfirst\003org", true, 0 },
-  {22, false, "\007support\010mayfirst\003org", true, 0 },
-  {17, false, "\002id\010mayfirst\003org", true, 0 },
-  {20, false, "\005lists\010mayfirst\003org", true, 0 },
-  {19, true, "\015splendidbacon\003com", true, 0 },
-  {28, false, "\016aladdinschools\007appspot\003com", true, 0 },
-  {14, true, "\011ottospora\002nl", true, 0 },
-  {25, false, "\003www\017paycheckrecords\003com", true, 0 },
-  {14, false, "\010lastpass\003com", true, 0 },
-  {18, false, "\003www\010lastpass\003com", true, 0 },
-  {14, true, "\010keyerror\003com", true, 0 },
-  {13, false, "\010entropia\002de", true, 0 },
-  {17, false, "\003www\010entropia\002de", true, 0 },
-  {11, true, "\005romab\003com", true, 0 },
-  {16, false, "\012logentries\003com", true, 0 },
-  {20, false, "\003www\012logentries\003com", true, 0 },
-  {12, true, "\006stripe\003com", true, 0 },
-  {27, true, "\025cloudsecurityalliance\003org", true, 0 },
-  {15, true, "\005login\004sapo\002pt", true, 0 },
-  {19, true, "\015mattmccutchen\003net", true, 0 },
-  {11, true, "\006betnet\002fr", true, 0 },
-  {13, true, "\010uprotect\002it", true, 0 },
-  {14, false, "\010squareup\003com", true, 0 },
-  {9, true, "\004cert\002se", true, 0 },
-  {11, true, "\006crypto\002is", true, 0 },
-  {20, true, "\005simon\007butcher\004name", true, 0 },
-  {10, true, "\004linx\003net", true, 0 },
-  {13, false, "\007dropcam\003com", true, 0 },
-  {17, false, "\003www\007dropcam\003com", true, 0 },
-  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0 },
-  {13, false, "\007epoxate\003com", true, 0 },
-  {16, false, "\012torproject\003org", true, kTorAcceptableCerts },
-  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts },
-  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts },
-  {22, true, "\003www\014moneybookers\003com", true, 0 },
-  {17, false, "\013ledgerscope\003net", true, 0 },
-  {21, false, "\003www\013ledgerscope\003net", true, 0 },
-  {10, false, "\004kyps\003net", true, 0 },
-  {14, false, "\003www\004kyps\003net", true, 0 },
-  {17, true, "\003app\007recurly\003com", true, 0 },
-  {17, true, "\003api\007recurly\003com", true, 0 },
-  {13, false, "\007greplin\003com", true, 0 },
-  {17, false, "\003www\007greplin\003com", true, 0 },
-  {27, true, "\006luneta\016nearbuysystems\003com", true, 0 },
-  {12, true, "\006ubertt\003org", true, 0 },
+  {16, false, "\003www\006paypal\003com", true, 0, DOMAIN_PAYPAL_COM },
+  {16, false, "\003www\006elanex\003biz", true, 0, DOMAIN_ELANEX_BIZ },
+  {12, true,  "\006jottit\003com", true, 0, DOMAIN_JOTTIT_COM },
+  {19, true,  "\015sunshinepress\003org", true, 0, DOMAIN_SUNSHINEPRESS_ORG },
+  {21, false, "\003www\013noisebridge\003net", true, 0,
+      DOMAIN_NOISEBRIDGE_NET },
+  {10, false, "\004neg9\003org", true, 0, DOMAIN_NEG9_ORG },
+  {12, true, "\006riseup\003net", true, 0, DOMAIN_RISEUP_NET },
+  {11, false, "\006factor\002cc", true, 0,
+      DOMAIN_FACTOR_CC },
+  {22, false, "\007members\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {22, false, "\007support\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {17, false, "\002id\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {20, false, "\005lists\010mayfirst\003org", true, 0, DOMAIN_MAYFIRST_ORG },
+  {19, true, "\015splendidbacon\003com", true, 0, DOMAIN_SPLENDIDBACON_COM },
+  {28, false, "\016aladdinschools\007appspot\003com", true, 0,
+      DOMAIN_APPSPOT_COM },
+  {14, true, "\011ottospora\002nl", true, 0, DOMAIN_OTTOSPORA_NL },
+  {25, false, "\003www\017paycheckrecords\003com", true, 0,
+      DOMAIN_PAYCHECKRECORDS_COM },
+  {14, false, "\010lastpass\003com", true, 0, DOMAIN_LASTPASS_COM },
+  {18, false, "\003www\010lastpass\003com", true, 0, DOMAIN_LASTPASS_COM },
+  {14, true, "\010keyerror\003com", true, 0, DOMAIN_KEYERROR_COM },
+  {13, false, "\010entropia\002de", true, 0, DOMAIN_ENTROPIA_DE },
+  {17, false, "\003www\010entropia\002de", true, 0, DOMAIN_ENTROPIA_DE },
+  {11, true, "\005romab\003com", true, 0, DOMAIN_ROMAB_COM },
+  {16, false, "\012logentries\003com", true, 0, DOMAIN_LOGENTRIES_COM },
+  {20, false, "\003www\012logentries\003com", true, 0, DOMAIN_LOGENTRIES_COM },
+  {12, true, "\006stripe\003com", true, 0, DOMAIN_STRIPE_COM },
+  {27, true, "\025cloudsecurityalliance\003org", true, 0,
+      DOMAIN_CLOUDSECURITYALLIANCE_ORG },
+  {15, true, "\005login\004sapo\002pt", true, 0, DOMAIN_SAPO_PT },
+  {19, true, "\015mattmccutchen\003net", true, 0, DOMAIN_MATTMCCUTCHEN_NET },
+  {11, true, "\006betnet\002fr", true, 0, DOMAIN_BETNET_FR },
+  {13, true, "\010uprotect\002it", true, 0, DOMAIN_UPROTECT_IT },
+  {14, false, "\010squareup\003com", true, 0, DOMAIN_SQUAREUP_COM },
+  {9, true, "\004cert\002se", true, 0, DOMAIN_CERT_SE },
+  {11, true, "\006crypto\002is", true, 0, DOMAIN_CRYPTO_IS },
+  {20, true, "\005simon\007butcher\004name", true, 0, DOMAIN_BUTCHER_NAME },
+  {10, true, "\004linx\003net", true, 0, DOMAIN_LINX_NET },
+  {13, false, "\007dropcam\003com", true, 0, DOMAIN_DROPCAM_COM },
+  {17, false, "\003www\007dropcam\003com", true, 0, DOMAIN_DROPCAM_COM },
+  {30, true, "\010ebanking\014indovinabank\003com\002vn", true, 0,
+      DOMAIN_INDOVINABANK_COM_VN },
+  {13, false, "\007epoxate\003com", true, 0, DOMAIN_EPOXATE_COM },
+  {16, false, "\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {21, true, "\004blog\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\005check\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {20, true, "\003www\012torproject\003org", true, kTorAcceptableCerts,
+      DOMAIN_TORPROJECT_ORG },
+  {22, true, "\003www\014moneybookers\003com", true, 0,
+      DOMAIN_MONEYBOOKERS_COM },
+  {17, false, "\013ledgerscope\003net", true, 0, DOMAIN_LEDGERSCOPE_NET },
+  {21, false, "\003www\013ledgerscope\003net", true, 0,
+      DOMAIN_LEDGERSCOPE_NET },
+  {10, false, "\004kyps\003net", true, 0, DOMAIN_KYPS_NET },
+  {14, false, "\003www\004kyps\003net", true, 0, DOMAIN_KYPS_NET },
+  {17, true, "\003app\007recurly\003com", true, 0, DOMAIN_RECURLY_COM },
+  {17, true, "\003api\007recurly\003com", true, 0, DOMAIN_RECURLY_COM },
+  {13, false, "\007greplin\003com", true, 0, DOMAIN_GREPLIN_COM },
+  {17, false, "\003www\007greplin\003com", true, 0, DOMAIN_GREPLIN_COM },
+  {27, true, "\006luneta\016nearbuysystems\003com", true, 0,
+      DOMAIN_NEARBUYSYSTEMS_COM },
+  {12, true, "\006ubertt\003org", true, 0, DOMAIN_UBERTT_ORG },
 
-  {13, false, "\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003www\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003api\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {17, true, "\003dev\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
-  {22, true, "\010business\007twitter\003com", kTwitterHSTS, kTwitterComAcceptableCerts },
+  {13, false, "\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003www\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003api\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {19, true, "\005oauth\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {20, true, "\006mobile\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {17, true, "\003dev\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
+  {22, true, "\010business\007twitter\003com", kTwitterHSTS,
+      kTwitterComAcceptableCerts, DOMAIN_TWITTER_COM },
 
 #if 0
   // Twitter CDN pins disabled in order to track down pinning failures --agl
-  {22, true, "\010platform\007twitter\003com", false, kTwitterCDNAcceptableCerts },
-  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts },
-  {23, true, "\010twimg0-a\010akamaihd\003net", false, kTwitterCDNAcceptableCerts },
+  {22, true, "\010platform\007twitter\003com", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_TWITTER_COM },
+  {15, true, "\003si0\005twimg\003com", false, kTwitterCDNAcceptableCerts,
+      DOMAIN_TWIMG_COM },
+  {23, true, "\010twimg0-a\010akamaihd\003net", false,
+      kTwitterCDNAcceptableCerts, DOMAIN_AKAMAIHD_NET },
 #endif
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
 static const struct HSTSPreload kPreloadedSNISTS[] = {
   // These SNI-only domains must always use HTTPS.
-  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts },
-  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts },
-  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts },
-  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts },
+  {11, false, "\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {16, false, "\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
+  {15, false, "\003www\005gmail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GMAIL_COM },
+  {20, false, "\003www\012googlemail\003com", true, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEMAIL_COM },
   // These SNI-only domains must use an acceptable certificate iff using
   // HTTPS.
-  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+  {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts,
+     DOMAIN_GOOGLE_ANALYTICS_COM },
   // www. requires SNI.
-  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
+  {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts,
+      DOMAIN_GOOGLEGROUPS_COM },
 };
 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
-// Returns true if there is an HSTSPreload entry for the host in |entries|, and
-// if its |required_hashes| member is identical (by address) to |certs|.
-static bool ScanForHostAndCerts(
+// Returns the HSTSPreload entry for the |canonicalized_host| in |entries|,
+// or NULL if there is none. Prefers exact hostname matches to those that
+// match only because HSTSPreload.include_subdomains is true.
+//
+// |canonicalized_host| should be the hostname as canonicalized by
+// CanonicalizeHost.
+static const struct HSTSPreload* GetHSTSPreload(
     const std::string& canonicalized_host,
     const struct HSTSPreload* entries,
-    size_t num_entries,
-    const char* const certs[]) {
-  bool hit = false;
+    size_t num_entries) {
+  const struct HSTSPreload* hit = NULL;
 
   for (size_t i = 0; canonicalized_host[i]; i += canonicalized_host[i] + 1) {
     for (size_t j = 0; j < num_entries; j++) {
-      const struct HSTSPreload& entry = entries[j];
+      const struct HSTSPreload* entry = entries + j;
 
-      if (i != 0 && !entry.include_subdomains)
+      if (i != 0 && !entry->include_subdomains)
         continue;
 
-      if (entry.length == canonicalized_host.size() - i &&
-          memcmp(entry.dns_name, &canonicalized_host[i], entry.length) == 0) {
-        hit = entry.required_hashes == certs;
-        // Return immediately upon exact match:
+      if (entry->length == canonicalized_host.size() - i &&
+          memcmp(entry->dns_name, &canonicalized_host[i], entry->length) == 0) {
+        // Return immediately upon exact match.
         if (i == 0)
-          return hit;
+          return entry;
+        hit = entry;
       }
     }
   }
@@ -1128,23 +1257,41 @@
 bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
                                                     bool sni_available) {
   std::string canonicalized_host = CanonicalizeHost(host);
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
 
-  if (ScanForHostAndCerts(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS,
-                          kGoogleAcceptableCerts)) {
+  if (entry && entry->required_hashes == kGoogleAcceptableCerts)
     return true;
-  }
 
   if (sni_available) {
-    if (ScanForHostAndCerts(canonicalized_host, kPreloadedSNISTS, kNumPreloadedSNISTS,
-                            kGoogleAcceptableCerts)) {
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);
+    if (entry && entry->required_hashes == kGoogleAcceptableCerts)
       return true;
-    }
   }
 
   return false;
 }
 
+// static
+void TransportSecurityState::ReportUMAPinFailure(const std::string& host,
+                                                 bool sni_available) {
+  std::string canonicalized_host = CanonicalizeHost(host);
 
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+
+  if (!entry && sni_available)
+    entry = GetHSTSPreload(canonicalized_host, kPreloadedSNISTS,
+                           kNumPreloadedSNISTS);

[wtc, 2011/10/25 00:49:57]

Nit: put curly braces around the "if" body because it is
two lines (even though one statement).

+
+  if (!entry)
+    return;
+
+  UMA_HISTOGRAM_ENUMERATION(kPinFailure, entry->low_res_name,
+                            DOMAIN_NUM_EVENTS);

[wtc, 2011/10/25 00:49:57]

I checked with jar, the father of Histogram.

Here you did the right thing: by passing the largest sample + 1
as the third argument, you will be able to add new values
to the *end* of the LowResolutionDomainName enum type in
the future without breaking this histogram.

+}
+
 // IsPreloadedSTS returns true if the canonicalized hostname should always be
 // considered to have STS enabled.
 bool TransportSecurityState::IsPreloadedSTS(