Perform dynamic pin checks even when the build is not timely.

net/http/transport_security_state.cc

Index: net/http/transport_security_state.cc
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 508784ea399c53817f1d7f43fb1e2b700c9696e0..3bf6251073294ac693b6975db2d13e8be83d8795 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -133,14 +133,8 @@ bool TransportSecurityState::CheckPublicKeyPins(
   //
   // * the server's certificate chain chains up to a known root (i.e. not a
   //   user-installed trust anchor); and
-  // * the build is recent (very old builds should fail open so that users
-  //   have some chance to recover).
   // * the server actually has public key pins.
-  //
-  // TODO(rsleevi): http://crbug.com/391032 - Only disable static HPKP if the
-  // build is not timely.
-  if (!is_issued_by_known_root || !IsBuildTimely() ||
-      !HasPublicKeyPins(host, sni_available)) {
+  if (!is_issued_by_known_root || !HasPublicKeyPins(host, sni_available)) {
     return true;
   }
 
@@ -799,6 +793,11 @@ bool TransportSecurityState::CheckPublicKeyPinsImpl(
   if (GetDynamicDomainState(host, &dynamic_state))
     return dynamic_state.CheckPublicKeyPins(hashes, failure_log);
 
+  // Very old builds should fail open so that users have some chance
+  // to recover.
+  if (!IsBuildTimely())
+    return true;

[Ryan Sleevi, 2014/08/12 01:04:53]

This seems unnecessary, given that GetStaticDomainState checks is_build_timely
directly

[Ryan Hamilton, 2014/08/12 14:01:55]

Done. Hah! I totally missed that.

+
   DomainState static_state;
   if (GetStaticDomainState(host, sni_enabled, &static_state))
     return static_state.CheckPublicKeyPins(hashes, failure_log);