Verify alternative server certificate validity for origin.

net/http/http_stream_factory_impl.cc

Index: net/http/http_stream_factory_impl.cc
diff --git a/net/http/http_stream_factory_impl.cc b/net/http/http_stream_factory_impl.cc
index dab8bc80c4a29ae9d02c9baa5037290e6b4cfe13..9efb3a02f3043ca53f686369ab2cd443e77903bc 100644
--- a/net/http/http_stream_factory_impl.cc
+++ b/net/http/http_stream_factory_impl.cc
@@ -162,11 +162,6 @@ AlternativeService HttpStreamFactoryImpl::GetAlternativeServiceFor(
 
   if (alternative_service.protocol == UNINITIALIZED_ALTERNATE_PROTOCOL)
     return kNoAlternativeService;
-  // TODO(bnc):  Make sure that callers connect to the specified host, and that
-  // certificate requirements are enforced.  Then remove the following two
-  // lines.
-  if (alternative_service.host != origin.host())
-    return kNoAlternativeService;
   if (http_server_properties.IsAlternativeServiceBroken(alternative_service)) {
     HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_BROKEN);
     return kNoAlternativeService;
@@ -201,6 +196,10 @@ AlternativeService HttpStreamFactoryImpl::GetAlternativeServiceFor(
   }
 
   DCHECK_EQ(QUIC, alternative_service.protocol);
+  // TODO(bnc):  Make sure that certificate requirements are enforced when using
+  // QUIC, then remove the following two lines.
+  if (alternative_service.host != origin.host())
+    return kNoAlternativeService;

[Ryan Hamilton, 2015/04/10 18:37:36]

We actually intend to make use of this feature first in QUIC. I'm not sure if
that affects your sequencing of work, but just FYI.

[Bence, 2015/04/10 19:55:16]

Okay.  I started with HTTP/2 tests because there are half as many of them.  I'll
get to the QUIC case next.

   if (!session_->params().enable_quic)
     return kNoAlternativeService;