Make HSTS headers not clobber preloaded pins.

net/socket/ssl_client_socket_nss.cc

Index: net/socket/ssl_client_socket_nss.cc
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b3c8e0ee7b97bd2d3abdc6e6aa1aec33906cdcb8..5fd026a57030eb11ece1134933ba6256f94cbdba 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -3496,11 +3496,9 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) {
         ssl_config_.version_fallback;
     const std::string& host = host_and_port_.host();
 
-    TransportSecurityState::DomainState domain_state;
-    if (transport_security_state_->GetDomainState(host, sni_available,
-                                                  &domain_state) &&
-        domain_state.HasPublicKeyPins()) {
-      if (!domain_state.CheckPublicKeyPins(
+    if (transport_security_state_->HasPublicKeyPins(host, sni_available)) {
+      if (!transport_security_state_->CheckPublicKeyPins(

[Ryan Sleevi, 2014/04/08 20:29:11]

There's a potential of a perf hit here from having to lookup twice (first for
has, then for check).

I'm inclined to suggest that the perf hit is acceptable, but this could be
refactored into something like HasAndCheck() [name sucks, you can do better than
I], that returns a tristate (doesn't apply / matches / doesn't match)

+              host, sni_available,
               server_cert_verify_result_.public_key_hashes)) {
         result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
         UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false);