I chose to add a new certificate auto-selection policy, because the existing certificate auto-selection is very coupled with Chrome. The existing AutoSelectCertificateUrls requires chrome/common/content_settings_pattern.h (which depends on other browser specific files, and is otherwise very browser-specific logic) to parse the URL pattern, and chrome/browser/chrome_content_browser_client.cc to match the certificate. Also, URLFetcher doesn't support sending certificates, and supporting it is a strict non-goal ( https://codereview.chromium.org/136883010/ ), so I had to use the lower level URLRequest, and have tokenvalidator do its own buffering. Finally, the client certificate store has some unpleasant lifetime requirements, so there are some hacks to deal with that as well. BUG=315825 Review URL: https://codereview.chromium.org/133273025 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@246456 0039d316-1c4b-4281-b951-d872f2087c98