Verify alternative server certificate validity for origin.

net/http/http_stream_factory_impl.cc

Index: net/http/http_stream_factory_impl.cc
diff --git a/net/http/http_stream_factory_impl.cc b/net/http/http_stream_factory_impl.cc
index 0397acaeec1495238a2ff3f2d3cd4c3d054de1b4..1867d6d38b341491923307d9afa62ab95faef108 100644
--- a/net/http/http_stream_factory_impl.cc
+++ b/net/http/http_stream_factory_impl.cc
@@ -159,11 +159,6 @@ AlternativeService HttpStreamFactoryImpl::GetAlternativeServiceFor(
 
   if (alternative_service.protocol == UNINITIALIZED_ALTERNATE_PROTOCOL)
     return kNoAlternativeService;
-  // TODO(bnc):  Make sure that callers connect to the specified host, and that
-  // certificate requirements are enforced.  Then remove the following two
-  // lines.
-  if (alternative_service.host != origin.host())
-    return kNoAlternativeService;
   if (http_server_properties.IsAlternativeServiceBroken(alternative_service)) {
     HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_BROKEN);
     return kNoAlternativeService;
@@ -198,6 +193,10 @@ AlternativeService HttpStreamFactoryImpl::GetAlternativeServiceFor(
   }
 
   DCHECK_EQ(QUIC, alternative_service.protocol);
+  // TODO(bnc):  Make sure that certificate requirements are enforced when using
+  // QUIC, then remove the following two lines.
+  if (alternative_service.host != origin.host())
+    return kNoAlternativeService;
   if (!session_->params().enable_quic)
     return kNoAlternativeService;