Enable public key pinning of local trust anchors

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index c29f8590c0d74980b5caeaf67e429d7281f02636..d5283712c57ae28e53a6f63cecd722c136bc7a19 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -421,6 +421,14 @@ class NET_EXPORT TransportSecurityState
                const HashValueVector& hashes,
                const GURL& report_uri);
 
+  // Enables or disables public key pinning bypass for local trust anchors.
+  // Disabling the bypass for local trust anchors is highly discouraged.
+  // This method is used by Cronet only and *** MUST NOT *** be used by any
+  // other consumer. For more information see "How does key pinning interact
+  // with local proxies and filters?" at
+  // https://www.chromium.org/Home/chromium-security/security-faq
+  void SetEnablePublicKeyPinningBypassForLocalTrustAnchors(bool value);
+
   // Parses |value| as a Public-Key-Pins-Report-Only header value and
   // sends a HPKP report for |host_port_pair| if |ssl_info| violates the
   // pin. Returns true if |value| parses and includes a valid
@@ -557,6 +565,9 @@ class NET_EXPORT TransportSecurityState
   // True if static expect-staple state should be used.
   bool enable_static_expect_staple_;
 
+  // True if public key pinning bypass is enabled for local trust anchors.
+  bool enable_pkp_bypass_for_local_trust_anchors_;
+
   ExpectCTReporter* expect_ct_reporter_ = nullptr;
 
   RequireCTDelegate* require_ct_delegate_ = nullptr;