Add a final few pin hosts to the HSTS metadata.

TEST=TransportSecurityStateTest.*
Review URL: http://codereview.chromium.org/6996001

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@84885 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 29 insertions, 0 deletions

diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index 14b95e6..8fdfd39 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -604,6 +604,12 @@ bool TransportSecurityState::IsPreloadedSTS(
     {16, true, "\012googleapis\003com", false, kGoogleAcceptableCerts },
     {22, true, "\020googleadservices\003com", false, kGoogleAcceptableCerts },
     {16, true, "\012googlecode\003com", false, kGoogleAcceptableCerts },
+    {13, true, "\007appspot\003com", false, kGoogleAcceptableCerts },
+    {23, true, "\021googlesyndication\003com", false, kGoogleAcceptableCerts },
+    {17, true, "\013doubleclick\003net", false, kGoogleAcceptableCerts },
+    // Exclude the learn.doubleclick.net subdomain because it uses a different
+    // CA.
+    {23, true, "\005learn\013doubleclick\003net", false, 0 },
     // Now we force HTTPS for other sites that have requested it.
     {16, false, "\003www\006paypal\003com", true, 0 },
     {16, false, "\003www\006elanex\003biz", true, 0 },
@@ -650,6 +656,8 @@ bool TransportSecurityState::IsPreloadedSTS(
     // These SNI-only domains must use an acceptable certificate iff using
     // HTTPS.
     {22, true, "\020google-analytics\003com", false, kGoogleAcceptableCerts },
+    // www. requires SNI.
+    {18, true, "\014googlegroups\003com", false, kGoogleAcceptableCerts },
   };
   static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc
index 4f4cf24..9e044e4 100644
--- a/net/base/transport_security_state_unittest.cc
+++ b/net/base/transport_security_state_unittest.cc
@@ -531,6 +531,14 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
                                        "googleadservices.com",
                                        true));
   EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "googlecode.com", true));
+  EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "appspot.com", true));
+  EXPECT_FALSE(state->IsEnabledForHost(&domain_state,
+                                       "googlesyndication.com",
+                                       true));
+  EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "doubleclick.net", true));
+  EXPECT_FALSE(state->IsEnabledForHost(&domain_state,
+                                       "googlegroups.com",
+                                       true));
 
   EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "gmail.com", true));
   EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.gmail.com", true));
@@ -709,6 +717,19 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
   EXPECT_TRUE(state->HasPinsForHost(&domain_state,
                                     "kibbles.googlecode.com",
                                     true));
+  EXPECT_TRUE(state->HasPinsForHost(&domain_state, "appspot.com", true));
+  EXPECT_TRUE(state->HasPinsForHost(&domain_state,
+                                    "googlesyndication.com",
+                                    true));
+  EXPECT_TRUE(state->HasPinsForHost(&domain_state, "doubleclick.net", true));
+  EXPECT_TRUE(state->HasPinsForHost(&domain_state, "ad.doubleclick.net", true));
+  EXPECT_FALSE(state->HasPinsForHost(&domain_state,
+                                     "learn.doubleclick.net",
+                                     true));
+  EXPECT_TRUE(state->HasPinsForHost(&domain_state, "a.googlegroups.com", true));
+  EXPECT_FALSE(state->HasPinsForHost(&domain_state,
+                                     "a.googlegroups.com",
+                                     false));
 }
 
 TEST_F(TransportSecurityStateTest, ForcePreloads) {