Enable public key pinning of local trust anchors

net/http/transport_security_state.h

Index: net/http/transport_security_state.h
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index b74b78d64fdb60664dfd3de3b0c2cd41e420b0dc..9916e2973e79c6dcca7284e631e59cae8c7a0c15 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -364,6 +364,12 @@ class NET_EXPORT TransportSecurityState
                const HashValueVector& hashes,
                const GURL& report_uri);
 
+  // Enables pinning of local trust anchors. This method is used by Cronet only
+  // and *** MUST NOT *** be used by any other consumer. For more information
+  // see "How does key pinning interact with local proxies and filters?" at
+  // https://www.chromium.org/Home/chromium-security/security-faq

[Ryan Sleevi, 2016/06/21 00:52:26]

This should get a second-pass over with the overall naming.

[kapishnikov, 2016/06/29 23:04:32]

Done.

+  void SetEnableHPKPForLocalTrustAnchors(bool value);
+
   // Parses |value| as a Public-Key-Pins-Report-Only header value and
   // sends a HPKP report for |host_port_pair| if |ssl_info| violates the
   // pin. Returns true if |value| parses and includes a valid
@@ -493,6 +499,9 @@ class NET_EXPORT TransportSecurityState
   // True if static expect-staple state should be used.
   bool enable_static_expect_staple_;
 
+  // True if pinning of local trust anchors is enabled
+  bool enable_hpkp_for_local_trust_anchors_;
+
   ExpectCTReporter* expect_ct_reporter_;
 
   // Keeps track of reports that have been sent recently for