Interstitial options are not OR'd properly.

chrome/browser/chrome_content_browser_client.cc

Index: chrome/browser/chrome_content_browser_client.cc
diff --git a/chrome/browser/chrome_content_browser_client.cc b/chrome/browser/chrome_content_browser_client.cc
index 5231b91500fef9a3dc1ca9f9f3fca36cde82b484..084ba570fbf8c67520339fb32612c493eca47152 100644
--- a/chrome/browser/chrome_content_browser_client.cc
+++ b/chrome/browser/chrome_content_browser_client.cc
@@ -1712,11 +1712,11 @@ void ChromeContentBrowserClient::AllowCertificateError(
   // ownership of ssl_blocking_page.
   int options_mask = 0;
   if (overridable)
-    options_mask = SSLBlockingPage::OVERRIDABLE;
+    options_mask |= SSLBlockingPage::OVERRIDABLE;

[meacer, 2014/09/18 18:03:33]

Looks like overridable, strict_enforcement and expired_previous_decision are
extracted from another options_mask at
https://code.google.com/p/chromium/codesearch#chromium/src/content/browser/ss...

So perhaps you can just pass options_mask all the way from there to here?

[jww, 2014/09/18 20:11:19]

Yup, I like the suggestion. Done.

   if (strict_enforcement)
-    options_mask = SSLBlockingPage::STRICT_ENFORCEMENT;
+    options_mask |= SSLBlockingPage::STRICT_ENFORCEMENT;
   if (expired_previous_decision)
-    options_mask = SSLBlockingPage::EXPIRED_BUT_PREVIOUSLY_ALLOWED;
+    options_mask |= SSLBlockingPage::EXPIRED_BUT_PREVIOUSLY_ALLOWED;
   SSLBlockingPage* ssl_blocking_page = new SSLBlockingPage(
       tab, cert_error, ssl_info, request_url, options_mask, callback);
   ssl_blocking_page->Show();