tools/metrics/histograms/histograms.xml

Index: tools/metrics/histograms/histograms.xml
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index a8e775366dbdec09a4589d952ea86135511b7f11..8eca643dc94cc1242ed55842c23659785731a9c8 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -9708,14 +9708,29 @@ Therefore, the affected-histogram name has to have at least one dot in it.
     enum="SSLNonAttackCauses">
   <owner>felt@chromium.org</owner>
   <summary>
-    Possible non-attack causes of the non-overridable SSL interstitial.
+    Possible non-attack causes of the non-overridable SSL interstitial. Many
+    errors are not reported in this histogram and new errors may be added
+    overtime, therefore one should not look at the breakdown of this histogram

[Mark P, 2014/08/06 22:25:56]

nit: overtime -> over time

[radhikabhar, 2014/08/06 22:35:53]

Done.

+    (one bucket divided by the sum) because that will be inaccurate. Instead,
+    one should look at each bucket count divided by the ssl error. E.g. WWW

[Mark P, 2014/08/06 22:25:56]

nit:
the ssl error
->
the count of ssl errors of that type

[radhikabhar, 2014/08/06 22:35:53]

Done.

+    mismatch is recorded only when the ssl error is CERT_COMMON_NAME_INVALID, so
+    one should look at the bucket count of WWW mismatch divided by the bucket
+    count of CERT_COMMON_NAME_INVALID in the histogram
+    interstitial.ssl_error_type.

[Mark P, 2014/08/06 22:25:56]

This is much nicer; thank you for your patience.

   </summary>
 </histogram>
 
 <histogram name="interstitial.ssl.cause.overridable" enum="SSLNonAttackCauses">
   <owner>felt@chromium.org</owner>
   <summary>
-    Possible non-attack causes of the overridable SSL interstitial.
+    Possible non-attack causes of the overridable SSL interstitial. Many errors
+    are not reported in this histogram and new errors may be added overtime,
+    therefore one should not look at the breakdown of this histogram (one bucket
+    divided by the sum) because that will be inaccurate. Instead, one should
+    look at each bucket count divided by the ssl error. E.g. WWW mismatch is
+    recorded only when the ssl error is CERT_COMMON_NAME_INVALID, so one should
+    look at the bucket count of WWW mismatch divided by the bucket count of
+    CERT_COMMON_NAME_INVALID in the histogram interstitial.ssl_error_type.
   </summary>
 </histogram>
 
@@ -48045,6 +48060,38 @@ Therefore, the affected-histogram name has to have at least one dot in it.
 <enum name="SSLNonAttackCauses" type="int">
   <int value="0" label="CLOCK_PAST: System clock set early"/>
   <int value="1" label="CLOCK_FUTURE: System clock set late"/>
+  <int value="2"
+      label="WWW_SUBDOMAIN_MATCH: Difference between the URL and the DNS is
+             www">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID and the
+    hostname differs from one of the DNS names in the certificate (CN or SANs)
+    only by the presence or absence of the single-label prefix &quot;www&quot;.
+    This case is not recored if the host name is not a known TLD.
+  </int>
+  <int value="3" label="SUBDOMAIN_MATCH: The URL is a subdomain of the DNS">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID and the
+    difference between the URL and the DNS name is not &quot;www&quot;. This
+    case is not recorded if the host name is not a known TLD.
+  </int>
+  <int value="4"
+      label="SUBDOMAIN_INVERSE_MATCH: The DNS is a subdomian of the URL">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID and the
+    difference between the DNS name and the DNS name is not &quot;www&quot;.

[Mark P, 2014/08/06 22:25:56]

one of these DNS names should be URL

[radhikabhar, 2014/08/06 22:35:53]

Done.

+    E.g.: a.b.example.com ~ *.example.com = true,  b.example.com ~ *.example.com
+    = false. This case is not recorded if the host name is not a known TLD.

[Mark P, 2014/08/06 22:25:56]

The example doesn't help (me) at all.  I suggest you remove it.

If you want to keep it, you should make it clear that the first element in those
~ operations is the DNS and the second is the URL (wildcard), and by true/false
you mean whether it's an error and would be recorded in this bucket.

You don't have to keep the example.

[radhikabhar, 2014/08/06 22:35:53]

Removed the example.

+  </int>
+  <int value="5"
+      label="SUBDOMAIN_OUTSIDE_WILDCARD: The URL is outside the scope of the
+             wildcard certificate">
+    This cause is recorded only if the ssl error is CERT_COMMON_NAME_INVALID, we
+    have received a wildcard certificate and the scope of a wildcard certificate
+    is too narrow for the hostname. This cases is not recorded if the host name
+    is not a known TLD.
+  </int>
+  <int value="6"
+      label="HOST_NAME_NOT_KNOWN_TLD: The host name is not a known TLD">
+    This cause is recorded only for CERT_COMMON_NAME_INVALID errors.
+  </int>
 </enum>
 
 <enum name="SSLResponseTypesV2" type="int">