Fix cert errors on the official WPT test runner.

On the official WPT test runner, we can't test reporting at all.
See https://crbug.com/1121605

The "Report-To" header isn't parsed at all, due to an SSL certificate
error.
We are already using "--ignore-certificate-errors", but apparently this
isn't enough, we also need: "--ignore-certificate-errors-spki-list=XXXX"

Where XXX can be generated with:
```
openssl x509 -noout -pubkey -in ./tools/certs/web-platform.test.pem |
openssl pkey -pubin -outform der |
openssl dgst -sha256 -binary |
base64
```

This is adapted from the internal chrome test runner:
third_party/blink/tools/blinkpy/web_tests/port/base.py
(Search for WPT_FINGERPRINT)

Along the way, I found this issue:
https://github.com/web-platform-tests/wpt/issues/24180
which I think might also be fixed by this patch.

BUG=1121605

Change-Id: Ia6e98a5050c8d2513d605a45cd349a52314282cc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2390748
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Robert Ma <robertma@chromium.org>
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#804377}

third_party/blink/web_tests/external/wpt/tools/wptrunner/wptrunner/browsers/chrome.py

@@ -23,6 +23,24 @@ __wptrunner__ = {"product": "chrome",
                  "env_options": "env_options",
                  "timeout_multiplier": "get_timeout_multiplier",}
 
+# This is generated using:
+# ```
+# openssl x509 -noout -pubkey -in ./tools/certs/web-platform.test.pem |
+# openssl pkey -pubin -outform der |
+# openssl dgst -sha256 -binary |
+# base64
+# ```
+# TODO(https://github.com/web-platform-tests/wpt/issues/21968):
+# Automate the regeneration of this value.
+WPT_FINGERPRINT = 'VPzsk0tdACJMqhsnPpMDesIkQYZrI2RGR+UlPK4emE4='
+
+# And one for signed-exchange/resources/127.0.0.1.sxg.pem
+SXG_WPT_FINGERPRINT = '0Rt4mT6SJXojEMHTnKnlJ/hBKMBcI4kteBlhR1eTTdk='
+
+IGNORE_CERTIFICATE_ERRORS_SPKI_LIST = [
+    WPT_FINGERPRINT,
+    SXG_WPT_FINGERPRINT
+]
 
 def check_args(**kwargs):
     require_arg(kwargs, "webdriver_binary")
@@ -67,7 +85,12 @@ def executor_kwargs(test_type, server_config, cache_manager, run_info_data,
     # Here we set a few Chrome flags that are always passed.
     # ChromeDriver's "acceptInsecureCerts" capability only controls the current
     # browsing context, whereas the CLI flag works for workers, too.
-    chrome_options["args"] = ["--ignore-certificate-errors"]
+    chrome_options["args"] = []
+
+    chrome_options["args"].append("--ignore-certificate-errors")
+    chrome_options["args"].append("--ignore-certificate-errors-spki-list=%s" %
+                                  ','.join(IGNORE_CERTIFICATE_ERRORS_SPKI_LIST))
+
     # Allow audio autoplay without a user gesture.
     chrome_options["args"].append("--autoplay-policy=no-user-gesture-required")
     # Allow WebRTC tests to call getUserMedia.