Treat HSTS and HPKP state independently.

net/http/http_security_headers_unittest.cc

Index: net/http/http_security_headers_unittest.cc
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index d09f6fd308d49ab6dc5c207f6b8d91b72aad52ad..2c468df55ebfe3a1693c26221d8e5f1d2ae32924 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -391,6 +391,7 @@ static void TestValidPKPHeaders(HashValueTag tag) {
 
   // The good pin must be in the chain, the backup pin must not be
   std::string good_pin = GetTestPin(2, tag);
+  std::string good_pin2 = GetTestPin(3, tag);
   std::string backup_pin = GetTestPin(4, tag);
 
   EXPECT_TRUE(ParseHPKPHeader(
@@ -468,8 +469,7 @@ static void TestValidPKPHeaders(HashValueTag tag) {
   EXPECT_EQ(expect_max_age, max_age);
   EXPECT_FALSE(include_subdomains);
 
-  // Test that parsing the same header twice doesn't duplicate the recorded
-  // hashes.
+  // Test that parsing a different header resets the hashes.

[Ryan Sleevi, 2015/01/13 21:56:40]

Is there any test for when we have one pin header, but encounter an invalid pin
header, and ensure that the original pin header was not botched? This would have
caught the situation I described.

[davidben, 2015/01/13 23:30:47]

Added one. (Although it wasn't a bug in the old version either.)

   hashes.clear();
   EXPECT_TRUE(ParseHPKPHeader(
       "  max-age=999;  " +
@@ -477,9 +477,8 @@ static void TestValidPKPHeaders(HashValueTag tag) {
       chain_hashes, &max_age, &include_subdomains, &hashes));
   EXPECT_EQ(2u, hashes.size());
   EXPECT_TRUE(ParseHPKPHeader(
-      "  max-age=999;  " +
-          backup_pin + ";" + good_pin + ";   ",
-      chain_hashes, &max_age, &include_subdomains, &hashes));
+      "  max-age=999;  " + backup_pin + ";" + good_pin2 + ";   ", chain_hashes,
+      &max_age, &include_subdomains, &hashes));
   EXPECT_EQ(2u, hashes.size());
 }