Expose when PKP is bypassed in SSLInfo.

net/spdy/spdy_session.cc

Index: net/spdy/spdy_session.cc
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index d316ea2cc457686d57c240b99bb31c2fcfb8ab60..8aaf5954279e98838d3c66116237e6fc4f3b0677 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -654,6 +654,10 @@ bool SpdySession::CanPool(TransportSecurityState* transport_security_state,
   if (!ssl_info.cert->VerifyNameMatch(new_hostname, &unused))
     return false;
 
+  // Pinning is bypassed for local roots.
+  if (!ssl_info.is_issued_by_known_root)
+    return true;

[Ryan Sleevi, 2016/06/09 19:17:32]

FWIW, and for better or worse, it was intentional this was omitted, but that
should have been documented.

The thinking at the time was that it's OK for things to be slower if the user is
MITM'ing themselves; that is, you don't get "the performance of pooling for
pinned hosts"

I'm also a little nervous about this conditional being before the pinning check,
rather than being a part of it. This conditional makes it too easy to
short-circuit security checks added later (e.g. as part of line 672)

[davidben, 2016/06/09 19:19:15]

I believe this aligns with the old behavior, but I agree I really don't like
having callers need to care about this. My suggestion (below) was that
CheckPublicKeyPins should either return an enum or return the same boolean as
before and then have a separate output parameter for the diagnositic
information.

[dadrian, 2016/06/09 21:58:57]

Done.

+
   std::string pinning_failure_log;
   // DISABLE_PIN_REPORTS is set here because this check can fail in
   // normal operation without being indicative of a misconfiguration or