Verify alternative server certificate validity for origin.

net/base/net_error_list.h

Index: net/base/net_error_list.h
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 6f152c9ce5140161d7fc34bc9141aeae05093957..fe5e24694c2437cf4dc6a4811ea07e02af094a04 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -449,13 +449,18 @@ NET_ERROR(CERT_NAME_CONSTRAINT_VIOLATION, -212)
 // The certificate's validity period is too long.
 NET_ERROR(CERT_VALIDITY_TOO_LONG, -213)
 
+// The certificate offered by the alternative server is not valid for the
+// origin, a violation of HTTP Alternative Services specification Section 2.1,
+// https://tools.ietf.org/id/draft-ietf-httpbis-alt-svc-06.html#host_auth.
+NET_ERROR(ALTERNATIVE_CERT_NOT_VALID_FOR_ORIGIN, -214)

[Ryan Hamilton, 2015/04/10 18:37:36]

Great error name and comment!

+
 // Add new certificate error codes here.
 //
 // Update the value of CERT_END whenever you add a new certificate error
 // code.
 
 // The value immediately past the last certificate error code.
-NET_ERROR(CERT_END, -214)
+NET_ERROR(CERT_END, -215)

[Ryan Hamilton, 2015/04/10 18:37:36]

We'll have to look very carefully about code that makes use of
IsCertificateError() to be sure your new error is treated accordingly. Or
perhaps it'll be best to put it in a different place. In some sense, it's not a
"Certificate Error" so much as it is an "Alternate Service Error (because of
certs)".  I recommend moving, so we don't have to reason about this.

[Bence, 2015/04/10 19:55:16]

Done.

 
 // The URL is invalid.
 NET_ERROR(INVALID_URL, -300)