Stop revoking cert exceptions on resources loaded from cache

content/browser/ssl/ssl_policy.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/ssl/ssl_policy.h"
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/memory/singleton.h"
@@ skipping 145 matching lines @@
     // If the scheme is https: or wss: *and* the security info for the
     // cert has been set (i.e. the cert id is not 0) and the cert did
     // not have any errors, revoke any previous decisions that
     // have occurred. If the cert info has not been set, do nothing since it
     // isn't known if the connection was actually a valid connection or if it
     // had a cert error.
     SSLGoodCertSeenEvent event = NO_PREVIOUS_EXCEPTION;
     if (backend_->HasAllowException(url.host())) {
       // If there's no certificate error, a good certificate has been seen, so
       // clear out any exceptions that were made by the user for bad
-      // certificates.
+      // certificates. This intentionally does not apply to cached resources
+      // (see https://crbug.com/634553 for an explanation).
       backend_->RevokeUserAllowExceptions(url.host());
       event = HAD_PREVIOUS_EXCEPTION;
     }
     UMA_HISTOGRAM_ENUMERATION("interstitial.ssl.good_cert_seen", event,
                               SSL_GOOD_CERT_SEEN_EVENT_MAX);
   }
 }
 
 void SSLPolicy::UpdateEntry(NavigationEntryImpl* entry,
                             WebContents* web_contents) {
@@ skipping 67 matching lines @@
 
 void SSLPolicy::InitializeEntryIfNeeded(NavigationEntryImpl* entry) {
   if (entry->GetSSL().security_style != SECURITY_STYLE_UNKNOWN)
     return;
 
   entry->GetSSL().security_style = GetSecurityStyleForResource(
       entry->GetURL(), entry->GetSSL().cert_id, entry->GetSSL().cert_status);
 }
 
 }  // namespace content