Remove DenyCertForHost from SSLHostStateDelegate API.

content/browser/ssl/ssl_policy_backend.h

Index: content/browser/ssl/ssl_policy_backend.h
diff --git a/content/browser/ssl/ssl_policy_backend.h b/content/browser/ssl/ssl_policy_backend.h
index 5997b289aabda4616b9e923ebd7242f5060e7418..640f98a18fe8d1ae122786c64d7777124ca3eaca 100644
--- a/content/browser/ssl/ssl_policy_backend.h
+++ b/content/browser/ssl/ssl_policy_backend.h
@@ -27,21 +27,17 @@ class SSLPolicyBackend {
   // Returns whether the specified host ran insecure content.
   bool DidHostRunInsecureContent(const std::string& host, int pid) const;
 
-  // Records that |cert| is not permitted to be used for |host| in the future,
-  // for a specific error type.
-  void DenyCertForHost(net::X509Certificate* cert,
-                       const std::string& host,
-                       net::CertStatus error);
-
   // Records that |cert| is permitted to be used for |host| in the future, for
   // a specific error type.
   void AllowCertForHost(net::X509Certificate* cert,
                         const std::string& host,
                         net::CertStatus error);
 
-  // Queries whether |cert| is allowed or denied for |host|. Returns true in
+  // Queries whether |cert| is allowed for |host|. Returns true in
   // |expired_previous_decision| if a user decision had been made previously but
-  // that decision has expired, otherwise false.
+  // that decision has expired, otherwise false. Since the API does not
+  // currently provide a way to deny certs, QueryPolicy guarantees to return
+  // either ALLOWED or UNKNOWN but never DENIED.
   net::CertPolicy::Judgment QueryPolicy(net::X509Certificate* cert,
                                         const std::string& host,
                                         net::CertStatus error,