Add a whitelist for QUIC hosts.

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index e77c8c5e2138a4688a03a9d76047d9235e88dbc4..3a38992067e8b4dcb919b4fbfcca70b5156bfb2f 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -1100,6 +1100,22 @@ bool TransportSecurityState::GetStaticDomainState(const std::string& host,
   return true;
 }
 
+bool TransportSecurityState::IsGooglePinnedHost(const std::string& host) const {
+  DCHECK(CalledOnValidThread());
+
+  if (!IsBuildTimely())
+    return false;
+
+  PreloadResult result;
+  if (!DecodeHSTSPreload(host, &result))
+    return false;
+
+  if (!result.has_pins)

[Ryan Sleevi, 2016/01/12 00:29:39]

BUG? You should be checking enable_static_pins_, right? You seem to be
duplicating the subset of GetStaticDomainState relevant for this function.

[Ryan Hamilton, 2016/01/12 01:21:24]

I think this is a feature. In the initial version of this CL, I called into
GetStaticDomainState() and observed to agl that this meant that local builds
would not have these hosts on the whitelist. He suggested that since the data
still exists, we could make use of it, so not checking enable_static_pins_ is
intentional. 

+    return false;
+
+  return kPinsets[result.pinset_id].accepted_pins == kGoogleAcceptableCerts;

[Ryan Sleevi, 2016/01/12 00:29:39]

BUG? The original code defends against corruption for pinset_id (see lines
1077/1078). Why is that not necessary here? Is that above check unnecessary?

[Ryan Hamilton, 2016/01/12 01:21:24]

It's defending against corruption? Interesting. I didn't catch that.
Done.

+}
+
 bool TransportSecurityState::GetStaticExpectCTState(
     const std::string& host,
     ExpectCTState* expect_ct_state) const {