Add new SecurityLevel for Http Bad state

components/security_state/security_state_model.h

Index: components/security_state/security_state_model.h
diff --git a/components/security_state/security_state_model.h b/components/security_state/security_state_model.h
index fc7e5f34c7d4d085098f3ac19c2b568f8d48fb3b..71d422c42ba47e02a6d433e1002e68c571da3e5e 100644
--- a/components/security_state/security_state_model.h
+++ b/components/security_state/security_state_model.h
@@ -39,6 +39,11 @@ class SecurityStateModel {
     // HTTP/no URL/HTTPS but with insecure passive content on the page.
     NONE,
 
+    // HTTP, but something about the page (e.g., inclusion of private info)
+    // suggests we should show a warning for it. This is intended for use as
+    // part of the Http Bad rollout (https://crbug.com/647754).

[Peter Kasting, 2016/09/20 00:50:05]

OK... I'm still not really sure how this comment is helpful to me as a reader,
or how we're going to know to come back here and remove that at some point. 
When is this no longer applicable?  Clearly in ten years when this is fully
rolled out we won't need/want this comment, but what's the point before then
where it becomes useless?

What about something like this?

    // HTTP, in a case where we want to show a visible warning about the page's
    // lack of security.
    //
    // The criteria used to classify pages as NONE vs. HTTP_WARNING will change
    // over time.  Eventually, NONE Will be eliminated.  See crbug.com/647754.

[felt, 2016/09/20 01:09:56]

Done.

+    HTTP_WARNING,
+
     // HTTPS with valid EV cert.
     EV_SECURE,