Revert of Don't process HSTS/HPKP headers when host is an IP address (patchset...

Revert of Don't process HSTS/HPKP headers when host is an IP address (patchset #9 id:160001 of https://codereview.chromium.org/1059303002/)

Reason for revert:
This change seems to break WebSockets tests broken on Mac: https://build.chromium.org/p/chromium.mac/builders/Mac10.6%20Tests/builds/758

Tests need to be fixed before it can be re-landed.

Original issue's description:
> Don't process HSTS/HPKP headers when host is an IP address
>
> HSTS/HPKP headers should only be parsed when the host is not an IP
> address. This change requires fixing the HSTS/HPKP tests to use
> localhost test server URLs instead of 127.0.0.1, with a corresponding
> cert.
>
> BUG=456712
>
> Committed: https://crrev.com/8488b5886ccec4820578905acd42f95cf42f5b17
> Cr-Commit-Position: refs/heads/master@{#323913}

TBR=rsleevi@chromium.org,palmer@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=456712

Review URL: https://codereview.chromium.org/1066613002

Cr-Commit-Position: refs/heads/master@{#323939}

chrome/browser/net/websocket_browsertest.cc

@@ -300,25 +300,20 @@ IN_PROC_BROWSER_TEST_F(WebSocketBrowserTest, SSLConnectionLimit) {
 IN_PROC_BROWSER_TEST_F(WebSocketBrowserTest, WebSocketAppliesHSTS) {
   net::SpawnedTestServer https_server(
       net::SpawnedTestServer::TYPE_HTTPS,
-      net::SpawnedTestServer::SSLOptions(
-          net::SpawnedTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST),
+      net::SpawnedTestServer::SSLOptions(),
       base::FilePath(FILE_PATH_LITERAL("chrome/test/data")));
-  net::SpawnedTestServer wss_server(
-      net::SpawnedTestServer::TYPE_WSS,
-      net::SpawnedTestServer::SSLOptions(
-          net::SpawnedTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST),
-      net::GetWebSocketTestDataDirectory());
-  // This test sets HSTS on localhost. To avoid being redirected to https, start
-  // the http server on 127.0.0.1 instead.
+  // This test sets HSTS on 127.0.0.1. To avoid being redirected to https, start
+  // the http server on "localhost" instead.
   net::SpawnedTestServer http_server(
-      net::SpawnedTestServer::TYPE_HTTP, net::SpawnedTestServer::kLocalhost,
+      net::SpawnedTestServer::TYPE_HTTP,
+      "localhost",
       base::FilePath(FILE_PATH_LITERAL("chrome/test/data")));
   ASSERT_TRUE(https_server.StartInBackground());
   ASSERT_TRUE(http_server.StartInBackground());
-  ASSERT_TRUE(wss_server.StartInBackground());
+  ASSERT_TRUE(wss_server_.StartInBackground());
   ASSERT_TRUE(https_server.BlockUntilStarted());
 
-  // Set HSTS on localhost.
+  // Set HSTS on 127.0.0.1.
   content::TitleWatcher title_watcher(
       browser()->tab_strip_model()->GetActiveWebContents(),
       base::ASCIIToUTF16("SET"));
@@ -328,8 +323,8 @@ IN_PROC_BROWSER_TEST_F(WebSocketBrowserTest, WebSocketAppliesHSTS) {
   EXPECT_TRUE(EqualsASCII(result, "SET"));
 
   // Verify that it applies to WebSockets.
-  ASSERT_TRUE(wss_server.BlockUntilStarted());
-  GURL wss_url = wss_server.GetURL("echo-with-no-extension");
+  ASSERT_TRUE(wss_server_.BlockUntilStarted());
+  GURL wss_url = wss_server_.GetURL("echo-with-no-extension");
   std::string scheme("ws");
   GURL::Replacements scheme_replacement;
   scheme_replacement.SetSchemeStr(scheme);

net/data/ssl/certificates/localhost_cert.pem

------BEGIN PRIVATE KEY-----
-MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCvaqKl55EBl974
-UxivDfhGARaIX5OUIO9RVi98YYXMEoIGC9IcUtfFyMNzqyaR30HzslhsQrunl3J9
-voeZAU9zh/jr5kW/PKFL0DMeoKUEToDFCvZaLZoJljRZ8gZxPZ7+qBm/RancIMjm
-mwce/v+rwh7k/gt1SbyhG7wD+8SzxC9ABYRwi9RbuKdfZ+KfpovU2uRPi8JYxSm2
-drgZCs4AEVFiIjvgkNv2rn93wx/blT0f4nse7oFboecSFT3U1Hu1P8MZP/tLEfhj
-PWc/eitEiIKdBVVMMQcO1hQXpbLCTndVhmYOOd18+G/hkkuwynigtDKI8kQQGz64
-em09uCsDAgMBAAECggEBAJyRYjEQWfYBFuuwR4TfxCy/hdwc6r05FEIV2fZ7mQ+H
-qXQ6EsRjEOIhCorwRVHH4rbgBVpDyfiRDYi8iY0AhWjKAVyUwMYrGJBxeV8p5X/N
-jdPRsAbXUvihj4KEqklixcnoQmrdg/nNbWOfFaEN2yfz8N1U/ucl9G4cMhmgG3aS
-94lppp5bqse61wVLKZUJVzBR7V0L8pgei7ZIJsI30k/gB+hqAiDlzL0veuTyhbP3
-wsr32bOCi8cBKro6wQkVIGWtkC7Rghz8VwfsR67Rxg+hsTPEJ34CFCl6TXctEItY
-gEVwRgHdw3Oe/83xlzNfSkkkQ9CQDeL3kvhW0POjbbkCgYEA1Uish6WiLRVQpwnN
-rSZNaLrH06Py20wpd2MKAp3p7JhsY1TO1IP1XPrq3899u8vNL6RjZ6fydspRLOOt
-d9ZkzmOSz4R9J6HQSz3NAQrK2yHw/1RJ0W8IjVHI2R1tYjxvIC+NZiNdLd7vjsRL
-Atz2R9B8hkvDEGB+aj4OqHuFCh8CgYEA0ox04N7yYkG8/i9Z+fQadgqSllgvb6w4
-hvKEhnwweu1q33n/YwZtQ89ElX0speK02ZH60AkNNXRRORVPCV60QhabXzax9Lba
-J+m+NtAYPABwbXPRJq4S5z9toWoqxCxKc36sCJqjdDE637xtEe8ULh2WEGmCctjC
-BpEk9xlMSp0CgYEArsLxu+RYUqCYiYZa5XnxC9OgUSaRpGdvwseAOEy0lI0AoxOm
-tjO6JQnk0qbt26dO5a7JVPIklnmIskOMrBkcWJD2htuEwaixSDXHeQci2ROiqVSj
-d9yHIWTWMjEOo+PpGnJcZkir3R5DJLRq0lnD42xN3KzPlOe8LcnTsPIlPPkCgYEA
-qFZgREI8bM6+ekQFnlDKr0H4vXe4RYLelxZjWtsEL+SOpCp4RAYpaiPXY+X2wpKl
-oaaTb60tAGYFYqxkyssLOCO3CcNDOLLRbUP3Lv/lwGNhgEEvIcvflUAjOQEXPE1l
-IT5P8Xkh4o5R0fxnAAW0jsJc7rZM8+HWD0YQ1fdGBgkCgYEAvsEfq+E0t52Vvn+d
-gxJE+N7Ny6Iu8cy47B0xKkyML//0vOquBun2cUYEqncloLI1a3wp1FykyJMJUX/d
-ZTJl7u5hhLHkhxSDVmyccw4v3Zhsn5/qb18jseE42Nbhtf8VhkZLOSbiHmxjrNdH
-V135E6sqWD6wkvGVbxn3haPe9+o=
------END PRIVATE KEY-----
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            12:78:95:65:51:49:92:01:32:10
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=Test Root CA
-        Validity
-            Not Before: Apr  6 16:18:41 2015 GMT
-            Not After : Apr  3 16:18:41 2025 GMT
-        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=localhost
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
-                Modulus:
-                    00:af:6a:a2:a5:e7:91:01:97:de:f8:53:18:af:0d:
-                    f8:46:01:16:88:5f:93:94:20:ef:51:56:2f:7c:61:
-                    85:cc:12:82:06:0b:d2:1c:52:d7:c5:c8:c3:73:ab:
-                    26:91:df:41:f3:b2:58:6c:42:bb:a7:97:72:7d:be:
-                    87:99:01:4f:73:87:f8:eb:e6:45:bf:3c:a1:4b:d0:
-                    33:1e:a0:a5:04:4e:80:c5:0a:f6:5a:2d:9a:09:96:
-                    34:59:f2:06:71:3d:9e:fe:a8:19:bf:45:a9:dc:20:
-                    c8:e6:9b:07:1e:fe:ff:ab:c2:1e:e4:fe:0b:75:49:
-                    bc:a1:1b:bc:03:fb:c4:b3:c4:2f:40:05:84:70:8b:
-                    d4:5b:b8:a7:5f:67:e2:9f:a6:8b:d4:da:e4:4f:8b:
-                    c2:58:c5:29:b6:76:b8:19:0a:ce:00:11:51:62:22:
-                    3b:e0:90:db:f6:ae:7f:77:c3:1f:db:95:3d:1f:e2:
-                    7b:1e:ee:81:5b:a1:e7:12:15:3d:d4:d4:7b:b5:3f:
-                    c3:19:3f:fb:4b:11:f8:63:3d:67:3f:7a:2b:44:88:
-                    82:9d:05:55:4c:31:07:0e:d6:14:17:a5:b2:c2:4e:
-                    77:55:86:66:0e:39:dd:7c:f8:6f:e1:92:4b:b0:ca:
-                    78:a0:b4:32:88:f2:44:10:1b:3e:b8:7a:6d:3d:b8:
-                    2b:03
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Subject Key Identifier: 
-                87:A2:09:4C:8C:84:57:D1:4A:30:35:53:8C:1D:04:01:18:21:15:CA
-            X509v3 Authority Key Identifier: 
-                keyid:BC:F7:30:D1:3C:C0:F2:79:FA:EF:9F:C9:6C:5C:93:F3:8A:68:AB:83
-
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Subject Alternative Name: 
-                DNS:localhost
-    Signature Algorithm: sha256WithRSAEncryption
-         9f:37:2e:c1:f9:7d:09:d6:94:52:09:bd:f1:b2:f7:3e:67:6e:
-         10:0b:65:cb:0e:c4:e7:cc:f7:25:9f:01:c0:e1:41:65:eb:bd:
-         61:f8:89:be:73:29:ad:07:15:98:89:ea:f0:77:d6:8e:20:35:
-         2b:0e:f3:64:05:f2:f0:20:73:56:23:0d:51:d9:19:b5:a8:cc:
-         a4:87:bb:63:2f:d1:e0:52:d0:5e:ae:93:c7:90:81:78:36:d4:
-         e6:a5:cc:db:c6:be:af:17:5b:80:83:34:2b:2d:dc:1e:f3:4c:
-         a0:04:70:f4:aa:90:1d:08:65:20:54:e1:32:5f:80:12:3e:76:
-         aa:1b:b9:2f:a7:36:54:99:a3:45:e4:43:1b:08:17:11:81:d0:
-         32:1d:68:c2:d1:b1:33:04:92:95:63:b8:26:18:79:12:ab:77:
-         14:80:58:4a:8a:a4:4e:ec:2e:07:02:22:de:67:92:03:54:0f:
-         31:6e:15:aa:53:6a:40:5b:d0:04:4e:c9:dc:a3:2a:0b:52:c9:
-         8b:92:9b:f4:4a:11:1b:e8:c1:da:54:9b:5c:ac:62:85:ce:ac:
-         9a:3d:0e:f5:4c:be:9d:53:5b:3e:bb:c0:a2:fe:a7:b2:10:eb:
-         02:d5:ce:ea:86:05:6e:77:c3:23:2d:45:c1:37:98:7b:6c:89:
-         13:92:95:8b
------BEGIN CERTIFICATE-----
-MIIDgjCCAmqgAwIBAgIKEniVZVFJkgEyEDANBgkqhkiG9w0BAQsFADAXMRUwEwYD
-VQQDDAxUZXN0IFJvb3QgQ0EwHhcNMTUwNDA2MTYxODQxWhcNMjUwNDAzMTYxODQx
-WjBgMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
-TW91bnRhaW4gVmlldzEQMA4GA1UECgwHVGVzdCBDQTESMBAGA1UEAwwJbG9jYWxo
-b3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr2qipeeRAZfe+FMY
-rw34RgEWiF+TlCDvUVYvfGGFzBKCBgvSHFLXxcjDc6smkd9B87JYbEK7p5dyfb6H
-mQFPc4f46+ZFvzyhS9AzHqClBE6AxQr2Wi2aCZY0WfIGcT2e/qgZv0Wp3CDI5psH
-Hv7/q8Ie5P4LdUm8oRu8A/vEs8QvQAWEcIvUW7inX2fin6aL1NrkT4vCWMUptna4
-GQrOABFRYiI74JDb9q5/d8Mf25U9H+J7Hu6BW6HnEhU91NR7tT/DGT/7SxH4Yz1n
-P3orRIiCnQVVTDEHDtYUF6Wywk53VYZmDjndfPhv4ZJLsMp4oLQyiPJEEBs+uHpt
-PbgrAwIDAQABo4GGMIGDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIeiCUyMhFfR
-SjA1U4wdBAEYIRXKMB8GA1UdIwQYMBaAFLz3MNE8wPJ5+u+fyWxck/OKaKuDMB0G
-A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAUBgNVHREEDTALgglsb2NhbGhv
-c3QwDQYJKoZIhvcNAQELBQADggEBAJ83LsH5fQnWlFIJvfGy9z5nbhALZcsOxOfM
-9yWfAcDhQWXrvWH4ib5zKa0HFZiJ6vB31o4gNSsO82QF8vAgc1YjDVHZGbWozKSH
-u2Mv0eBS0F6uk8eQgXg21OalzNvGvq8XW4CDNCst3B7zTKAEcPSqkB0IZSBU4TJf
-gBI+dqobuS+nNlSZo0XkQxsIFxGB0DIdaMLRsTMEkpVjuCYYeRKrdxSAWEqKpE7s
-LgcCIt5nkgNUDzFuFapTakBb0AROydyjKgtSyYuSm/RKERvowdpUm1ysYoXOrJo9
-DvVMvp1TWz67wKL+p7IQ6wLVzuqGBW53wyMtRcE3mHtsiROSlYs=
------END CERTIFICATE-----

net/data/ssl/scripts/ee.cnf

@@ -25,22 +25,12 @@ CN = Duplicate
 O  = Bar
 CN = Duplicate
 
-[req_localhost_cn]
-C  = US
-ST = California
-L  = Mountain View
-O  = Test CA
-CN = localhost
-
 [req_punycode_dn]
 CN = xn--wgv71a119e.com
 
 [req_extensions]
 subjectAltName = IP:127.0.0.1
 
-[req_localhost_san]
-subjectAltName = DNS:localhost
-
 [req_punycode]
 basicConstraints = critical, CA:true
 subjectAltName   = @punycode_san

net/data/ssl/scripts/generate-aia-certs.sh

@@ -8,7 +8,8 @@
 # certificates that can be used to test fetching of an intermediate via AIA.
 
 try() {
-  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
+  echo "$@"
+  "$@" || exit 1
 }
 
 try rm -rf out

net/data/ssl/scripts/generate-cross-signed-certs.sh

@@ -19,7 +19,12 @@
 # MD5root, or leaf -> MD5root -> SHA256root
 
 try() {
-  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
+  echo "$@"
+  "$@" || exit 1
+}
+
+quiet_try() {
+    "$@" || exit 1
 }
 
 try rm -rf out
@@ -80,9 +85,9 @@ CA_COMMON_NAME="Test Dup-Hash Root CA" \
     -out out/ok_cert.pem \
     -config ca.cnf
 
-try openssl x509 -text \
+quiet_try openssl x509 -text \
     -in out/2048-md5-root.pem > ../certificates/cross-signed-root-md5.pem
-try openssl x509 -text \
+quiet_try openssl x509 -text \
     -in out/2048-sha256-root.pem > ../certificates/cross-signed-root-sha256.pem
-try openssl x509 -text \
+quiet_try openssl x509 -text \
     -in out/ok_cert.pem > ../certificates/cross-signed-leaf.pem

net/data/ssl/scripts/generate-policy-certs.sh

@@ -11,7 +11,8 @@
 # When validating, supplying no policy OID should not result in an error.
 
 try() {
-  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
+  echo "$@"
+  "$@" || exit 1
 }
 
 try rm -rf out

net/data/ssl/scripts/generate-test-certs.sh

@@ -8,7 +8,8 @@
 # certificates that can be used to test fetching of an intermediate via AIA.
 
 try() {
-  "$@" || (e=$?; echo "$@" > /dev/stderr; exit $e)
+  echo "$@"
+  "$@" || exit 1
 }
 
 try rm -rf out
@@ -32,10 +33,11 @@ CA_COMMON_NAME="Test Root CA" \
   try openssl x509 \
     -req -days 3650 \
     -in out/2048-sha256-root.req \
+    -out out/2048-sha256-root.pem \
     -signkey out/2048-sha256-root.key \
     -extfile ca.cnf \
     -extensions ca_cert \
-    -text > out/2048-sha256-root.pem
+    -text
 
 # Generate the leaf certificate requests
 try openssl req \
@@ -50,14 +52,6 @@ try openssl req \
   -out out/ok_cert.req \
   -config ee.cnf
 
-SUBJECT_NAME=req_localhost_cn \
-try openssl req \
-  -new \
-  -keyout out/localhost_cert.key \
-  -out out/localhost_cert.req \
-  -reqexts req_localhost_san \
-  -config ee.cnf
-
 # Generate the leaf certificates
 CA_COMMON_NAME="Test Root CA" \
   try openssl ca \
@@ -98,19 +92,8 @@ CA_COMMON_NAME="Test Root CA" \
     -out out/name_constraint_good.pem \
     -config ca.cnf
 
-CA_COMMON_NAME="Test Root CA" \
-  try openssl ca \
-    -batch \
-    -extensions user_cert \
-    -days 3650 \
-    -in out/localhost_cert.req \
-    -out out/localhost_cert.pem \
-    -config ca.cnf
-
 try /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
-try /bin/sh -c "cat out/localhost_cert.key out/localhost_cert.pem \
-    > ../certificates/localhost_cert.pem"
 try /bin/sh -c "cat out/expired_cert.key out/expired_cert.pem \
     > ../certificates/expired_cert.pem"
 try /bin/sh -c "cat out/2048-sha256-root.key out/2048-sha256-root.pem \
@@ -125,7 +108,7 @@ try /bin/sh -c "cat out/ok_cert.key out/name_constraint_good.pem \
 try openssl req -x509 -days 3650 \
     -config ../scripts/ee.cnf -newkey rsa:2048 -text \
     -sha256 \
-    -out ../certificates/sha256.pem
+    -out sha256.pem
 
 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
 try openssl req -x509 -days 3650 -extensions req_spdy_pooling \

net/data/url_request_unittest/hpkp-headers.html.mock-http-headers

@@ -3,4 +3,4 @@ Cache-Control: private
 Content-Type: text/html; charset=ISO-8859-1
 X-Multiple-Entries: a
 X-Multiple-Entries: b
-Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="+TTrWvvJdM9gwuHiLTApo/2DBT2xb4hBPRJDI9pebXY="; pin-sha1="PshSs8WOjC7qwaYMv0T3rJDwKS4="
+Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="2zCMVDKgnKec0721Sp1zVh2yiHeW/LJK4STkNnEa1og="; pin-sha1="YeyCi9tceCqPzE8PFLuFMZOf9z0="

net/data/url_request_unittest/hsts-and-hpkp-headers.html.mock-http-headers

@@ -5,4 +5,4 @@ X-Multiple-Entries: a
 X-Multiple-Entries: b
 Strict-Transport-Security: max-age=12300
 Strict-Transport-Security: max-age=12300; includeSubdomains
-Public-Key-Pins: max-age=50000; pin-sha1="Wws2/Z7YhKlX73v3rYHBBxO4OLE="; pin-sha256="+TTrWvvJdM9gwuHiLTApo/2DBT2xb4hBPRJDI9pebXY="
+Public-Key-Pins: max-age=50000; pin-sha1="Wws2/Z7YhKlX73v3rYHBBxO4OLE="; pin-sha256="2zCMVDKgnKec0721Sp1zVh2yiHeW/LJK4STkNnEa1og="

net/data/url_request_unittest/hsts-and-hpkp-headers2.html.mock-http-headers

@@ -4,5 +4,5 @@ Content-Type: text/html; charset=ISO-8859-1
 X-Multiple-Entries: a
 X-Multiple-Entries: b
 Strict-Transport-Security: max-age=12300; includeSubdomains
-Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="+TTrWvvJdM9gwuHiLTApo/2DBT2xb4hBPRJDI9pebXY="; pin-sha1="PshSs8WOjC7qwaYMv0T3rJDwKS4="
-Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="+TTrWvvJdM9gwuHiLTApo/2DBT2xb4hBPRJDI9pebXY="; pin-sha1="PshSs8WOjC7qwaYMv0T3rJDwKS4="
+Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="2zCMVDKgnKec0721Sp1zVh2yiHeW/LJK4STkNnEa1og="; pin-sha1="YeyCi9tceCqPzE8PFLuFMZOf9z0="
+Public-Key-Pins: max-age=50000; pin-sha1="K9e3/nFL5j90GuVJOJBv6WXpvcs="; pin-sha256="2zCMVDKgnKec0721Sp1zVh2yiHeW/LJK4STkNnEa1og="; pin-sha1="YeyCi9tceCqPzE8PFLuFMZOf9z0="; includeSubdomains

net/test/spawned_test_server/base_test_server.cc

@@ -29,17 +29,11 @@ namespace {
 
 std::string GetHostname(BaseTestServer::Type type,
                         const BaseTestServer::SSLOptions& options) {
-  if (BaseTestServer::UsingSSL(type)) {
-    if (options.server_certificate ==
-            BaseTestServer::SSLOptions::CERT_MISMATCHED_NAME ||
-        options.server_certificate ==
-            BaseTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST) {
-      // For |CERT_MISMATCHED_NAME|, return a different hostname string
-      // that resolves to the same hostname. For
-      // |CERT_OK_FOR_LOCALHOST|, the certificate is issued for
-      // "localhost" instead of "127.0.0.1".
-      return "localhost";
-    }
+  if (BaseTestServer::UsingSSL(type) &&
+      options.server_certificate ==
+          BaseTestServer::SSLOptions::CERT_MISMATCHED_NAME) {
+    // Return a different hostname string that resolves to the same hostname.
+    return "localhost";
   }
 
   // Use the 127.0.0.1 as default.
@@ -141,8 +135,6 @@ base::FilePath BaseTestServer::SSLOptions::GetCertificateFile() const {
     case CERT_OK:
     case CERT_MISMATCHED_NAME:
       return base::FilePath(FILE_PATH_LITERAL("ok_cert.pem"));
-    case CERT_OK_FOR_LOCALHOST:
-      return base::FilePath(FILE_PATH_LITERAL("localhost_cert.pem"));
     case CERT_EXPIRED:
       return base::FilePath(FILE_PATH_LITERAL("expired_cert.pem"));
     case CERT_CHAIN_WRONG_ROOT:

net/test/spawned_test_server/base_test_server.h

@@ -49,9 +49,6 @@ class BaseTestServer {
   struct SSLOptions {
     enum ServerCertificate {
       CERT_OK,
-      // Causes the testserver to use a hostname that is a domain
-      // instead of an IP.
-      CERT_OK_FOR_LOCALHOST,
 
       // CERT_AUTO causes the testserver to generate a test certificate issued
       // by "Testing CA" (see net/data/ssl/certificates/ocsp-test-root.pem).

net/url_request/url_request_http_job.cc

@@ -794,10 +794,6 @@ void URLRequestHttpJob::ProcessStrictTransportSecurityHeader() {
       !security_state)
     return;
 
-  // Don't accept HSTS headers when the hostname is an IP address.
-  if (request_info_.url.HostIsIPAddress())
-    return;
-
   // http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec:
   //
   //   If a UA receives more than one STS header field in a HTTP response
@@ -821,10 +817,6 @@ void URLRequestHttpJob::ProcessPublicKeyPinsHeader() {
       !security_state)
     return;
 
-  // Don't accept HSTS headers when the hostname is an IP address.
-  if (request_info_.url.HostIsIPAddress())
-    return;
-
   // http://tools.ietf.org/html/draft-ietf-websec-key-pinning:
   //
   //   If a UA receives more than one PKP header field in an HTTP

net/websockets/websocket_end_to_end_test.cc

@@ -385,14 +385,12 @@ TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(TruncatedResponse)) {
 
 // Regression test for crbug.com/455215 "HSTS not applied to WebSocket"
 TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(HstsHttpsToWebSocket)) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST);
+  SpawnedTestServer::SSLOptions ssl_options;
   SpawnedTestServer https_server(
       SpawnedTestServer::TYPE_HTTPS, ssl_options,
       base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest")));
   SpawnedTestServer wss_server(SpawnedTestServer::TYPE_WSS, ssl_options,
                                GetWebSocketTestDataDirectory());
-
   ASSERT_TRUE(https_server.StartInBackground());
   ASSERT_TRUE(wss_server.StartInBackground());
   ASSERT_TRUE(https_server.BlockUntilStarted());
@@ -415,8 +413,7 @@ TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(HstsHttpsToWebSocket)) {
 }
 
 TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(HstsWebSocketToHttps)) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST);
+  SpawnedTestServer::SSLOptions ssl_options;
   SpawnedTestServer https_server(
       SpawnedTestServer::TYPE_HTTPS, ssl_options,
       base::FilePath(FILE_PATH_LITERAL("net/data/url_request_unittest")));
@@ -445,8 +442,7 @@ TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(HstsWebSocketToHttps)) {
 }
 
 TEST_F(WebSocketEndToEndTest, DISABLED_ON_ANDROID(HstsWebSocketToWebSocket)) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_OK_FOR_LOCALHOST);
+  SpawnedTestServer::SSLOptions ssl_options;
   SpawnedTestServer wss_server(SpawnedTestServer::TYPE_WSS, ssl_options,
                                GetWebSocketTestDataDirectory());
   ASSERT_TRUE(wss_server.Start());