7 files changed, 60 insertions, 5 deletions
diff --git a/chrome/browser/net/chrome_url_request_context.cc b/chrome/browser/net/chrome_url_request_context.cc
index 06b3739..3ea9cc1 100644
--- a/chrome/browser/net/chrome_url_request_context.cc
+++ b/chrome/browser/net/chrome_url_request_context.cc
@@ -292,6 +292,8 @@ ChromeURLRequestContext::ChromeURLRequestContext(Profile* profile)
   cookie_policy_.SetType(net::CookiePolicy::FromInt(
       prefs_->GetInteger(prefs::kCookieBehavior)));
 
+  force_tls_state_ = profile->GetForceTLSState();
+
   if (profile->GetExtensionsService()) {
     const ExtensionList* extensions =
         profile->GetExtensionsService()->extensions();
diff --git a/chrome/browser/profile.cc b/chrome/browser/profile.cc
index 1c76c49..cdb7c00 100644
--- a/chrome/browser/profile.cc
+++ b/chrome/browser/profile.cc
@@ -39,6 +39,7 @@
 #include "chrome/common/pref_names.h"
 #include "chrome/common/render_messages.h"
 #include "grit/locale_settings.h"
+#include "net/base/force_tls_state.h"
 
 using base::Time;
 using base::TimeDelta;
@@ -171,6 +172,13 @@ class OffTheRecordProfileImpl : public Profile,
     return ssl_host_state_.get();
   }
 
+  virtual net::ForceTLSState* GetForceTLSState() {
+    if (!force_tls_state_.get())
+      force_tls_state_.reset(new net::ForceTLSState());
+
+    return force_tls_state_.get();
+  }
+
   virtual HistoryService* GetHistoryService(ServiceAccessType sat) {
     if (sat == EXPLICIT_ACCESS) {
       return profile_->GetHistoryService(sat);
@@ -389,6 +397,9 @@ class OffTheRecordProfileImpl : public Profile,
   // the user visited while OTR.
   scoped_ptr<SSLHostState> ssl_host_state_;
 
+  // The ForceTLSState that only stores enabled sites in memory.
+  scoped_ptr<net::ForceTLSState> force_tls_state_;
+
   // Extensions run in a different context in incognito mode.
   scoped_ptr<ExtensionProcessManager> extension_process_manager_;
 
@@ -627,6 +638,13 @@ SSLHostState* ProfileImpl::GetSSLHostState() {
   return ssl_host_state_.get();
 }
 
+net::ForceTLSState* ProfileImpl::GetForceTLSState() {
+  if (!force_tls_state_.get())
+    force_tls_state_.reset(new net::ForceTLSState());
+
+  return force_tls_state_.get();
+}
+
 PrefService* ProfileImpl::GetPrefs() {
   if (!prefs_.get()) {
     prefs_.reset(new PrefService(GetPrefFilePath(),
diff --git a/chrome/browser/profile.h b/chrome/browser/profile.h
index 6ec129c..be775c2 100644
--- a/chrome/browser/profile.h
+++ b/chrome/browser/profile.h
@@ -20,6 +20,9 @@
 #endif
 #include "chrome/common/notification_observer.h"
 
+namespace net {
+class ForceTLSState;
+}
 class BookmarkModel;
 class ChromeURLRequestContext;
 class DownloadManager;
@@ -128,6 +131,11 @@ class Profile {
   // called.
   virtual SSLHostState* GetSSLHostState() = 0;
 
+  // Retrieves a pointer to the ForceTLStSate associated with this profile.
+  // The ForceTLSState is lazily created the first time that this method is
+  // called.
+  virtual net::ForceTLSState* GetForceTLSState() = 0;
+
   // Retrieves a pointer to the HistoryService associated with this
   // profile.  The HistoryService is lazily created the first time
   // that this method is called.
@@ -301,6 +309,7 @@ class ProfileImpl : public Profile,
   virtual VisitedLinkMaster* GetVisitedLinkMaster();
   virtual UserScriptMaster* GetUserScriptMaster();
   virtual SSLHostState* GetSSLHostState();
+  virtual net::ForceTLSState* GetForceTLSState();
   virtual ExtensionsService* GetExtensionsService();
   virtual ExtensionProcessManager* GetExtensionProcessManager();
   virtual HistoryService* GetHistoryService(ServiceAccessType sat);
@@ -371,6 +380,7 @@ class ProfileImpl : public Profile,
   scoped_refptr<UserScriptMaster> user_script_master_;
   scoped_ptr<ExtensionProcessManager> extension_process_manager_;
   scoped_ptr<SSLHostState> ssl_host_state_;
+  scoped_ptr<net::ForceTLSState> force_tls_state_;
   scoped_ptr<PrefService> prefs_;
   scoped_ptr<TemplateURLFetcher> template_url_fetcher_;
   scoped_ptr<TemplateURLModel> template_url_model_;
diff --git a/chrome/browser/ssl/ssl_policy.cc b/chrome/browser/ssl/ssl_policy.cc
index 7004da7..3bf64e5 100644
--- a/chrome/browser/ssl/ssl_policy.cc
+++ b/chrome/browser/ssl/ssl_policy.cc
@@ -6,6 +6,8 @@
 
 #include "app/l10n_util.h"
 #include "app/resource_bundle.h"
+#include "base/base_switches.h"
+#include "base/command_line.h"
 #include "base/singleton.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
@@ -117,11 +119,15 @@ void SSLPolicy::OnMixedContent(SSLMixedContentHandler* handler) {
 
   // If the user has added an exception, doctor the |filter_policy|.
   std::string host = GURL(handler->main_frame_origin()).host();
-  if (backend_->DidAllowMixedContentForHost(host) ||
-      backend_->DidMarkHostAsBroken(host, handler->pid()))
+  if (CommandLine::ForCurrentProcess()->HasSwitch(switches::kForceHTTPS) &&
+      backend_->IsForceTLSEnabledForHost(host)) {
+    // We're supposed to block all mixed content for this host.
+    filter_policy = FilterPolicy::FILTER_ALL;
+  } else if (backend_->DidAllowMixedContentForHost(host) ||
+             backend_->DidMarkHostAsBroken(host, handler->pid())) {
+    // Let the mixed content through.
     filter_policy = FilterPolicy::DONT_FILTER;
-
-  if (filter_policy != FilterPolicy::DONT_FILTER) {
+  } else if (filter_policy != FilterPolicy::DONT_FILTER) {
     backend_->ShowMessageWithLink(
         l10n_util::GetString(IDS_SSL_INFO_BAR_FILTERED_CONTENT),
         l10n_util::GetString(IDS_SSL_INFO_BAR_SHOW_CONTENT),
diff --git a/chrome/browser/ssl/ssl_policy_backend.cc b/chrome/browser/ssl/ssl_policy_backend.cc
index 9b1eed8..8852190 100644
--- a/chrome/browser/ssl/ssl_policy_backend.cc
+++ b/chrome/browser/ssl/ssl_policy_backend.cc
@@ -13,6 +13,7 @@
 #include "chrome/common/notification_service.h"
 #include "grit/generated_resources.h"
 #include "grit/theme_resources.h"
+#include "net/base/force_tls_state.h"
 
 using WebKit::WebConsoleMessage;
 
@@ -67,7 +68,8 @@ class SSLInfoBarDelegate : public ConfirmInfoBarDelegate {
 
 SSLPolicyBackend::SSLPolicyBackend(NavigationController* controller)
     : controller_(controller),
-      ssl_host_state_(controller->profile()->GetSSLHostState()) {
+      ssl_host_state_(controller->profile()->GetSSLHostState()),
+      force_tls_state_(controller->profile()->GetForceTLSState()) {
   DCHECK(controller_);
 }
 
@@ -159,6 +161,10 @@ bool SSLPolicyBackend::DidAllowMixedContentForHost(
   return ssl_host_state_->DidAllowMixedContentForHost(host);
 }
 
+bool SSLPolicyBackend::IsForceTLSEnabledForHost(const std::string& host) const {
+  return force_tls_state_->IsEnabledForHost(host);
+}
+
 void SSLPolicyBackend::Reload() {
   controller_->Reload(true);
 }
diff --git a/chrome/browser/ssl/ssl_policy_backend.h b/chrome/browser/ssl/ssl_policy_backend.h
index f8a829c..2d84232 100644
--- a/chrome/browser/ssl/ssl_policy_backend.h
+++ b/chrome/browser/ssl/ssl_policy_backend.h
@@ -13,6 +13,9 @@
 #include "net/base/x509_certificate.h"
 #include "webkit/api/public/WebConsoleMessage.h"
 
+namespace net {
+class ForceTLSState;
+}
 class NavigationController;
 class SSLHostState;
 class Task;
@@ -68,6 +71,9 @@ class SSLPolicyBackend {
   // Returns whether the specified host is allowed to show mixed content.
   bool DidAllowMixedContentForHost(const std::string& host) const;
 
+  // Returns whether ForceTLS is enabled for |host|.
+  bool IsForceTLSEnabledForHost(const std::string& host) const;
+
   // Reloads the tab.
   void Reload();
 
@@ -112,6 +118,10 @@ class SSLPolicyBackend {
   // SSL state specific for each host.
   SSLHostState* ssl_host_state_;
 
+  // ForceTLS state.
+  // TODO(abarth): Consider combining with SSLHostState?
+  net::ForceTLSState* force_tls_state_;
+
   // The list of messages that should be displayed (in info bars) when the page
   // currently loading had loaded.
   std::vector<SSLMessageInfo> pending_messages_;
diff --git a/chrome/test/testing_profile.h b/chrome/test/testing_profile.h
index f83e5e4..974d31d 100644
--- a/chrome/test/testing_profile.h
+++ b/chrome/test/testing_profile.h
@@ -90,6 +90,9 @@ class TestingProfile : public Profile {
   virtual SSLHostState* GetSSLHostState() {
     return NULL;
   }
+  virtual net::ForceTLSState* GetForceTLSState() {
+    return NULL;
+  }
   virtual HistoryService* GetHistoryService(ServiceAccessType access) {
     return history_service_.get();
   }