net: don't allow SSLv3 fallback for Google properties.

net/http/transport_security_state_static.json

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file contains the HSTS preloaded list in a machine readable format.
 
 // The top-level element is a dictionary with two keys: "pinsets" maps details
 // of certificate pinning to a name and "entries" contains the HSTS details for
 // each host.
 //
@@ skipping 183 matching lines @@
     { "name": "codereview.chromium.org", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "code.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "googlecode.com", "include_subdomains": true, "pins": "google" },
     { "name": "dl.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "translate.googleapis.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
 
     // chart.apis.google.com is *not* HSTS because the certificate doesn't match
     // and there are lots of links out there that still use the name. The correct
     // hostname for this is chart.googleapis.com.
     { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" },
+    { "name": "oraprodsso.corp.google.com", "include_subdomains": true, "mode": "force-https" },

[wtc, 2013/09/03 18:17:16]

It seems that  include_subdomains should be false. Does this hostname have
subdomains, or is this defensive programming?

Why does adding a mode=force-https entry poke a hole for this hostname?

(Note: the CL description has a typo: "pokes a whole".)

[palmer, 2013/09/03 18:20:45]

agl probably intends to be defensive, and it makes sense to me.
Most specific hostname match matches first, so this policy overrides more
general policies.

 
     // Other Google-related domains that must use an acceptable certificate
     // iff using SSL.
     { "name": "ytimg.com", "include_subdomains": true, "pins": "google" },
     { "name": "googleusercontent.com", "include_subdomains": true, "pins": "google" },
     { "name": "youtube.com", "include_subdomains": true, "pins": "google" },
     { "name": "googleapis.com", "include_subdomains": true, "pins": "google" },
     { "name": "googleadservices.com", "include_subdomains": true, "pins": "google" },
     { "name": "appspot.com", "include_subdomains": true, "pins": "google" },
     { "name": "googlesyndication.com", "include_subdomains": true, "pins": "google" },
@@ skipping 420 matching lines @@
 
     // Entries that are only valid if the client supports SNI.
     { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
     { "name": "googlemail.com", "mode": "force-https", "pins": "google", "snionly": true },
     { "name": "www.gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
     { "name": "www.googlemail.com", "mode": "force-https", "pins": "google", "snionly": true },
     { "name": "google-analytics.com", "include_subdomains": true, "pins": "google", "snionly": true },
     { "name": "googlegroups.com", "include_subdomains": true, "pins": "google", "snionly": true }
   ]
 }