| Index: net/socket/ssl_client_socket_nss.cc | 
| diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc | 
| index 0237eb522e96f5508ed3e3768ab41c970527df0e..14101acb92237202272fdd9de6f2c34217568e0b 100644 | 
| --- a/net/socket/ssl_client_socket_nss.cc | 
| +++ b/net/socket/ssl_client_socket_nss.cc | 
| @@ -3426,53 +3426,21 @@ int SSLClientSocketNSS::DoVerifyCertComplete(int result) { | 
| if (result == OK) | 
| LogConnectionTypeMetrics(); | 
|  | 
| -#if defined(OFFICIAL_BUILD) && !defined(OS_ANDROID) && !defined(OS_IOS) | 
| -  // Take care of any mandates for public key pinning. | 
| -  // | 
| -  // Pinning is only enabled for official builds to make sure that others don't | 
| -  // end up with pins that cannot be easily updated. | 
| -  // | 
| -  // TODO(agl): We might have an issue here where a request for foo.example.com | 
| -  // merges into a SPDY connection to www.example.com, and gets a different | 
| -  // certificate. | 
| - | 
| -  // Perform pin validation if, and only if, all these conditions obtain: | 
| -  // | 
| -  // * a TransportSecurityState object is available; | 
| -  // * the server's certificate chain is valid (or suffers from only a minor | 
| -  //   error); | 
| -  // * the server's certificate chain chains up to a known root (i.e. not a | 
| -  //   user-installed trust anchor); and | 
| -  // * the build is recent (very old builds should fail open so that users | 
| -  //   have some chance to recover). | 
| -  // | 
| +  bool sni_available = | 
| +      ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || | 
| +      ssl_config_.version_fallback; | 
| const CertStatus cert_status = server_cert_verify_result_.cert_status; | 
| if (transport_security_state_ && | 
| (result == OK || | 
| (IsCertificateError(result) && IsCertStatusMinorError(cert_status))) && | 
| -      server_cert_verify_result_.is_issued_by_known_root && | 
| -      TransportSecurityState::IsBuildTimely()) { | 
| -    bool sni_available = | 
| -        ssl_config_.version_max >= SSL_PROTOCOL_VERSION_TLS1 || | 
| -        ssl_config_.version_fallback; | 
| -    const std::string& host = host_and_port_.host(); | 
| - | 
| -    if (transport_security_state_->HasPublicKeyPins(host, sni_available)) { | 
| -      if (!transport_security_state_->CheckPublicKeyPins( | 
| -              host, | 
| -              sni_available, | 
| -              server_cert_verify_result_.public_key_hashes, | 
| -              &pinning_failure_log_)) { | 
| -        LOG(ERROR) << pinning_failure_log_; | 
| -        result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 
| -        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", false); | 
| -        TransportSecurityState::ReportUMAOnPinFailure(host); | 
| -      } else { | 
| -        UMA_HISTOGRAM_BOOLEAN("Net.PublicKeyPinSuccess", true); | 
| -      } | 
| -    } | 
| +      !transport_security_state_->CheckPublicKeyPins( | 
| +          host_and_port_.host(), | 
| +          sni_available, | 
| +          server_cert_verify_result_.is_issued_by_known_root, | 
| +          server_cert_verify_result_.public_key_hashes, | 
| +          &pinning_failure_log_)) { | 
| +    result = ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN; | 
| } | 
| -#endif | 
|  | 
| if (result == OK) { | 
| // Only check Certificate Transparency if there were no other errors with | 
|  |