net: don't allow SSLv3 fallback for Google properties.

net/http/transport_security_state_static.json

Index: net/http/transport_security_state_static.json
diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json
index f338559a84e8351bf4473bd42c729486605a2c75..35f5ba74f159aee364015e54d78b5986ee7a8620 100644
--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -201,6 +201,7 @@
     // and there are lots of links out there that still use the name. The correct
     // hostname for this is chart.googleapis.com.
     { "name": "chart.apis.google.com", "include_subdomains": true, "pins": "google" },
+    { "name": "oraprodsso.corp.google.com", "include_subdomains": true, "mode": "force-https" },

[wtc, 2013/09/03 18:17:16]

It seems that  include_subdomains should be false. Does this hostname have
subdomains, or is this defensive programming?

Why does adding a mode=force-https entry poke a hole for this hostname?

(Note: the CL description has a typo: "pokes a whole".)

[palmer, 2013/09/03 18:20:45]

agl probably intends to be defensive, and it makes sense to me.
Most specific hostname match matches first, so this policy overrides more
general policies.

 
     // Other Google-related domains that must use an acceptable certificate
     // iff using SSL.