net: ignore revocation check failures when fetching a proxy script.

Revocation checking should already be disabled for loading PAC scripts but
rsleevi suggests that there's a bug in OS X which causes revocation checking to
occur anyway. That would explain when the bug reporter saw
UNABLE_TO_CHECK_REVOCATION.

Therefore, ignore revocation check failures when fetching PAC scripts.

BUG=98833
TEST=Block access to the OCSP and CRL for a certificate in a chain for an HTTPS PAC script. Check that the PAC script still loads.

Review URL: http://codereview.chromium.org/8201009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@105086 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 5 insertions, 0 deletions

diff --git a/net/proxy/proxy_script_fetcher_impl.cc b/net/proxy/proxy_script_fetcher_impl.cc
index 7492c1a..321f0f0 100644
--- a/net/proxy/proxy_script_fetcher_impl.cc
+++ b/net/proxy/proxy_script_fetcher_impl.cc
@@ -194,6 +194,11 @@ void ProxyScriptFetcherImpl::OnSSLCertificateError(URLRequest* request,
                                                    const SSLInfo& ssl_info,
                                                    bool is_hsts_host) {
   DCHECK_EQ(request, cur_request_.get());
+  // Revocation check failures are not fatal.
+  if (IsCertStatusMinorError(ssl_info.cert_status)) {
+    request->ContinueDespiteLastError();
+    return;
+  }
   LOG(WARNING) << "SSL certificate error when fetching PAC script, aborting.";
   // Certificate errors are in same space as net errors.
   result_code_ = MapCertStatusToNetError(ssl_info.cert_status);