Merge from Chromium at DEPS revision 260458

This commit was generated by merge_to_master.py.

Change-Id: I140fa91b7f09c8efba4424e99ccb87b94a11d022

225 files changed, 7749 insertions, 2804 deletions

diff --git a/net/base/file_stream_context.cc b/net/base/file_stream_context.cc
index 43825e3109..5d1fdbb013 100644
--- a/net/base/file_stream_context.cc
+++ b/net/base/file_stream_context.cc
@@ -274,21 +274,16 @@ void FileStream::Context::CloseAndDelete() {
   DCHECK(!async_in_progress_);
 
   if (file_.IsValid()) {
-    bool posted = task_runner_.get()->PostTaskAndReply(
+    bool posted = task_runner_.get()->PostTask(
         FROM_HERE,
         base::Bind(base::IgnoreResult(&Context::CloseFileImpl),
-                   base::Unretained(this)),
-        base::Bind(&Context::OnCloseCompleted, base::Unretained(this)));
+                   base::Owned(this)));
     DCHECK(posted);
   } else {
     delete this;
   }
 }
 
-void FileStream::Context::OnCloseCompleted() {
-  delete this;
-}
-
 Int64CompletionCallback FileStream::Context::IntToInt64(
     const CompletionCallback& callback) {
   return base::Bind(&CallInt64ToInt, callback);
diff --git a/net/base/file_stream_context.h b/net/base/file_stream_context.h
index e7711c9bc2..c70a8f6149 100644
--- a/net/base/file_stream_context.h
+++ b/net/base/file_stream_context.h
@@ -168,7 +168,6 @@ class FileStream::Context {
                        OpenResult open_result);
 
   void CloseAndDelete();
-  void OnCloseCompleted();
 
   Int64CompletionCallback IntToInt64(const CompletionCallback& callback);
 
diff --git a/net/base/ip_mapping_rules.cc b/net/base/ip_mapping_rules.cc
deleted file mode 100644
index fbc887da42..0000000000
--- a/net/base/ip_mapping_rules.cc
+++ /dev/null
@@ -1,120 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/base/ip_mapping_rules.h"
-
-#include <vector>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/stl_util.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/string_split.h"
-#include "base/strings/string_tokenizer.h"
-#include "base/strings/string_util.h"
-#include "net/base/address_list.h"
-#include "net/base/ip_pattern.h"
-
-namespace net {
-
-class IPMappingRules::Rule {
- public:
-  Rule(const IPAddressNumber& address, IPPattern* pattern)
-      : pattern_(pattern),
-        replacement_address_(address) {
-  }
-
-  bool Match(const IPAddressNumber& address) const {
-    return pattern_->Match(address);
-  }
-
-  const IPAddressNumber& replacement_address() const {
-    return replacement_address_;
-  }
-
- private:
-  scoped_ptr<IPPattern> pattern_;        // The pattern we can match.
-  IPAddressNumber replacement_address_;  // The replacement address we provide.
-  DISALLOW_COPY_AND_ASSIGN(Rule);
-};
-
-IPMappingRules::IPMappingRules() {}
-
-IPMappingRules::~IPMappingRules() {
-  STLDeleteElements(&rules_);
-}
-
-bool IPMappingRules::RewriteAddresses(AddressList* addresses) const {
-  // Last rule pushed into the list has the highest priority, and is tested
-  // first.
-  for (RuleList::const_reverse_iterator rule_it = rules_.rbegin();
-       rule_it != rules_.rend(); ++rule_it) {
-    for (AddressList::iterator address_it = addresses->begin();
-        address_it != addresses->end(); ++address_it) {
-      if (!(*rule_it)->Match(address_it->address()))
-        continue;
-      // We have a match.
-      int port = address_it->port();
-      addresses->insert(addresses->begin(),
-                        IPEndPoint((*rule_it)->replacement_address(), port));
-      return true;
-    }
-  }
-  return false;
-}
-
-bool IPMappingRules::AddRuleFromString(const std::string& rule_string) {
-  std::string trimmed;
-  base::TrimWhitespaceASCII(rule_string, base::TRIM_ALL, &trimmed);
-  if (trimmed.empty())
-    return true;  // Allow empty rules.
-
-  std::vector<std::string> parts;
-  base::SplitString(trimmed, ' ', &parts);
-
-  if (parts.size() != 3) {
-    DVLOG(1) << "Rule has wrong number of parts: " << rule_string;
-    return false;
-  }
-
-  if (!LowerCaseEqualsASCII(parts[0], "preface")) {
-    DVLOG(1) << "Unknown directive: " << rule_string;
-    return false;
-  }
-
-  scoped_ptr<IPPattern> pattern(new IPPattern);
-  if (!pattern->ParsePattern(parts[1])) {
-    DVLOG(1) << "Unacceptable pattern: " << rule_string;
-    return false;
-  }
-
-  IPAddressNumber address;
-  if (!ParseIPLiteralToNumber(parts[2], &address)) {
-    DVLOG(1) << "Invalid replacement address: " << rule_string;
-    return false;
-  }
-
-  if (pattern->is_ipv4() != (address.size() == kIPv4AddressSize)) {
-    DVLOG(1) << "Mixture of IPv4 and IPv6: " << rule_string;
-    return false;
-  }
-  rules_.push_back(new Rule(address, pattern.release()));
-  return true;
-}
-
-bool IPMappingRules::SetRulesFromString(const std::string& rules_string) {
-  STLDeleteElements(&rules_);
-
-  base::StringTokenizer rules(rules_string, ";");
-  while (rules.GetNext()) {
-    if (!AddRuleFromString(rules.token())) {
-      DVLOG(1) << "Failed parsing rule: " << rules.token();
-      STLDeleteElements(&rules_);
-      return false;
-    }
-  }
-  return true;
-}
-
-}  // namespace net
diff --git a/net/base/ip_mapping_rules.h b/net/base/ip_mapping_rules.h
deleted file mode 100644
index 7291abfe8d..0000000000
--- a/net/base/ip_mapping_rules.h
+++ /dev/null
@@ -1,90 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_IP_MAPPING_RULES_H_
-#define NET_BASE_IP_MAPPING_RULES_H_
-
-#include <string>
-#include <vector>
-
-#include "base/macros.h"
-#include "net/base/net_export.h"
-
-namespace net {
-
-class AddressList;
-
-// This class contains a list of rules, that can be used to process (Rewrite) a
-// set of DNS resolutions (IP addresses) in accordance with those rules.
-// Currently the only rules supported use a pattern match against some given IP
-// addresses, and may, if there is a match, place one new IP address at the
-// start of the rewritten address list (re: the "PREFACE" directive).  This
-// supports a common use case where the matching detects an address in a given
-// edge network server group, and the inserted address points to a server that
-// is expected to handle all requests that would otherwise have gone to the
-// given group of servers.
-class NET_EXPORT_PRIVATE IPMappingRules {
- public:
-  IPMappingRules();
-  ~IPMappingRules();
-
-  // Modifies |*addresses| based on the current rules. Returns true if
-  // |addresses| was modified, false otherwise.
-  bool RewriteAddresses(AddressList* addresses) const;
-
-  // Adds a rule to this mapper.
-  // Rules are evaluated against an address list until a first matching rule is
-  // found that applies, causing a modification of the address list.
-  // Each rule consists of one or more of the following pattern and action
-  // directives.
-  //
-  //   RULE: CHANGE_DIRECTIVE | EMPTY
-  //   CHANGE_DIRECTIVE: "PREFACE" SPACE IP_PATTERN SPACE IP_LITERAL
-  //   SPACE: " "
-  //   EMPTY:
-  //
-  //   IP_LITERAL: IP_V6_LITERAL | IP_V4_LITERAL
-  //
-  //   IP_V4_LITERAL: OCTET "." OCTET "." OCTET "." OCTET
-  //   OCTET: decimal number in range 0 ... 255
-  //
-  //   IP_V6_LITERAL:  HEX_COMPONENT  | IP_V6_LITERAL ":" HEX_COMPONENT
-  //   HEX_COMPONENT: hexadecimal values with no more than 4 hex digits
-  //
-  //   IP_PATTERN: IP_V6_PATTERN | IP_V4_PATTERN
-  //
-  //   IP_V6_PATTERN: HEX_PATTERN | IP_V6_PATTERN ":" HEX_PATTERN
-  //   HEX_PATTERN:  HEX_COMPONENT | "[" HEX_GROUP_PATTERN "]" | "*"
-  //   HEX_GROUP_PATTERN: HEX_RANGE | HEX_GROUP_PATTERN "," HEX_RANGE
-  //   HEX_RANGE: HEX_COMPONENT |  HEX_COMPONENT "-" HEX_COMPONENT
-  //
-  //   IP_V4_PATTERN: OCTET_PATTERN "." OCTET_PATTERN "." OCTET_PATTERN
-  //                  "." OCTET_PATTERN
-  //   OCTET_PATTERN:  OCTET | "[" OCTET_GROUP_PATTERN "]" | "*"
-  //   OCTET_GROUP_PATTERN: OCTET_RANGE | OCTET_GROUP_PATTERN "," OCTET_RANGE
-  //   OCTET_RANGE: OCTET | OCTET "-" OCTET
-  //
-  // All literals are required to have all their components specified (4
-  // components for IPv4, and 8 for IPv6).  Specifically, there is currently no
-  // support for elided compenents in an IPv6 address (e.g., "::").
-  // Returns true if the rule was successfully parsed and added.
-  bool AddRuleFromString(const std::string& rule_string);
-
-  // Sets the rules from a semicolon separated list of rules.
-  // Returns true if all the rules were successfully parsed and added.
-  bool SetRulesFromString(const std::string& rules_string);
-
- private:
-  class Rule;
-  typedef std::vector<Rule*> RuleList;
-
-  // We own all rules in this list, and are responsible for their destruction.
-  RuleList rules_;
-
-  DISALLOW_COPY_AND_ASSIGN(IPMappingRules);
-};
-
-}  // namespace net
-
-#endif  // NET_BASE_IP_MAPPING_RULES_H_
diff --git a/net/base/ip_mapping_rules_unittest.cc b/net/base/ip_mapping_rules_unittest.cc
deleted file mode 100644
index 7fd599f345..0000000000
--- a/net/base/ip_mapping_rules_unittest.cc
+++ /dev/null
@@ -1,307 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/base/ip_mapping_rules.h"
-
-#include "net/base/address_list.h"
-#include "net/base/ip_endpoint.h"
-#include "net/base/net_util.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace net {
-
-namespace {
-
-TEST(IPMappingRulesTest, EmptyRules) {
-  AddressList addresses;
-  // Null rule does nothing to null list.
-  EXPECT_EQ(0u, addresses.size());
-  IPMappingRules rules;
-  EXPECT_FALSE(rules.RewriteAddresses(&addresses));
-  EXPECT_EQ(0u, addresses.size());
-
-  IPAddressNumber address;
-  EXPECT_TRUE(ParseIPLiteralToNumber("1.2.3.4", &address));
-  int port = 80;
-  IPEndPoint endpoint(address, port);
-  addresses.push_back(endpoint);
-  // Null rule does nothing to a simple list.
-  ASSERT_EQ(1u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-  EXPECT_FALSE(rules.RewriteAddresses(&addresses));
-  ASSERT_EQ(1u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-
-  EXPECT_TRUE(ParseIPLiteralToNumber("1:2:3:4:a:b:c:def", &address));
-  IPEndPoint endpoint2(address, port);
-  addresses.push_back(endpoint2);
-  // Null rule does nothing to a simple list.
-  ASSERT_EQ(2u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-  EXPECT_EQ(addresses[1], endpoint2);
-  EXPECT_FALSE(rules.RewriteAddresses(&addresses));
-  ASSERT_EQ(2u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-  EXPECT_EQ(addresses[1], endpoint2);
-}
-
-// The |inserted_ip| must have a short final component, so that we can just
-// append a digit, and still be a valid (but different) ip address.
-void MatchingInsertionHelper(const std::string& matchable_ip,
-                             const std::string& matching_ip_pattern,
-                             const std::string& inserted_ip,
-                             bool should_match) {
-  AddressList addresses;
-
-  IPAddressNumber address;
-  EXPECT_TRUE(ParseIPLiteralToNumber(matchable_ip, &address));
-  int port = 80;
-  IPEndPoint endpoint(address, port);
-  addresses.push_back(endpoint);
-  // Match the string with a precisely crafted pattern.
-  std::string rule_text("Preface ");
-  rule_text += matching_ip_pattern;
-  rule_text += " ";
-  rule_text += inserted_ip;
-  IPMappingRules rules;
-  EXPECT_TRUE(rules.AddRuleFromString(rule_text));
-
-  ASSERT_EQ(1u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-  EXPECT_EQ(should_match, rules.RewriteAddresses(&addresses));
-  if (!should_match) {
-    ASSERT_EQ(1u, addresses.size());
-    EXPECT_EQ(addresses[0], endpoint);
-    return;  // Don't bother with the rest of the test.
-  }
-
-  ASSERT_EQ(2u, addresses.size());
-  EXPECT_EQ(addresses[1], endpoint);
-  IPAddressNumber inserted_ip_adress_number;
-  EXPECT_TRUE(ParseIPLiteralToNumber(inserted_ip, &inserted_ip_adress_number));
-  EXPECT_EQ(inserted_ip_adress_number, addresses[0].address());
-
-  // Now we have two addresses.  We'll use new rules, to match the second
-  // address (the original address shifted over) in the list of addresses.
-  rule_text = "Preface ";  // Build up a new rule.
-  rule_text += matching_ip_pattern;
-  rule_text += " ";
-  // Change the inserted IP mildly.
-  std::string different_inserted_ip = inserted_ip + "3";
-  rule_text += different_inserted_ip;
-  // If we don't overwrite the old rule, it will fire first!
-  EXPECT_TRUE(rules.SetRulesFromString(rule_text));  // Overwrite old rules.
-
-  ASSERT_EQ(2u, addresses.size());
-  EXPECT_EQ(addresses[1], endpoint);
-  EXPECT_TRUE(rules.RewriteAddresses(&addresses));
-  ASSERT_EQ(3u, addresses.size());
-  EXPECT_EQ(addresses[2], endpoint);
-  EXPECT_TRUE(ParseIPLiteralToNumber(different_inserted_ip,
-                                     &inserted_ip_adress_number));
-  EXPECT_EQ(inserted_ip_adress_number, addresses[0].address());
-}
-
-TEST(IPMappingRulesTest, SimpleMatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern(matchable_ip);
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, SimpleMatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:8");
-  std::string matching_ip_pattern(matchable_ip);
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, SimpleMissatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern(matchable_ip + "7");
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = false;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, SimpleMisatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:8");
-  std::string matching_ip_pattern(matchable_ip + "e");
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = false;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, AlternativeMatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern("1.2.3.[2,4,6]");
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, AlternativeMatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:abcd");
-  std::string matching_ip_pattern("1:2:3:4:5:6:7:[abc2,abc9,abcd,cdef]");
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, RangeMatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern("1.2.3.[2-6,22]");
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, RandgeMatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:abcd");
-  // Note: This test can detect confusion over high vs low-order bytes in an
-  // IPv6 component.  If the code confused them, then this range would not
-  // include the matchable_ip.
-  std::string matching_ip_pattern("1:2:3:4:5:6:7:[abc2-cdc2]");
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, WildMatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern("1.2.3.*");
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, WildMatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:abcd");
-  // Note: This test can detect confusion over high vs low-order bytes in an
-  // IPv6 component.  If the code confused them, then this range would not
-  // include the matchable_ip.
-  std::string matching_ip_pattern("1:2:3:4:5:6:7:*");
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = true;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, WildNotMatchingInsertionIPV4) {
-  std::string matchable_ip("1.2.3.4");
-  std::string matching_ip_pattern("*.200.*.*");
-  std::string new_preface_ip("7.8.9.24");
-  bool should_match = false;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, WildNotMatchingInsertionIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:8");
-  // Note: This test can detect confusion over high vs low-order bytes in an
-  // IPv6 component.  If the code confused them, then this range would not
-  // include the matchable_ip.
-  std::string matching_ip_pattern("*:*:37af:*:*:*:*:*");
-  std::string new_preface_ip("A:B:C:D:1:2:3:4");
-  bool should_match = false;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-TEST(IPMappingRulesTest, IPv4NotMatchForIPV6) {
-  std::string matchable_ip("1:2:3:4:5:6:7:abcd");
-  // Note: This test can detect confusion over high vs low-order bytes in an
-  // IPv6 component.  If the code confused them, then this range would not
-  // include the matchable_ip.
-  std::string matching_ip_pattern("1.2.3.4");
-  std::string new_preface_ip("10.20.30.40");  // Compatible with pattern.
-  bool should_match = false;
-  MatchingInsertionHelper(matchable_ip, matching_ip_pattern, new_preface_ip,
-                          should_match);
-}
-
-// Parsing bad rules should silently discard the rule (and never crash).
-TEST(IPMappingRulesTest, ParseInvalidRules) {
-  IPMappingRules rules;
-
-  EXPECT_FALSE(rules.AddRuleFromString("Too short"));
-  EXPECT_FALSE(rules.AddRuleFromString("Preface much too long"));
-  EXPECT_FALSE(rules.AddRuleFromString("PrefaceNotSpelled 1.2.3.4 1.2.3.4"));
-
-  // Ipv4 problems
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.a.4 1.2.3.4"));
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.3.4.5 1.2.3.4"));
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.3.4 1.2.3.4.5"));
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.3.4 1.2.3.4-5"));
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.3.4-5-6 1.2.3.4"));
-
-  // IPv6 problems
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:g 1:2:3:4:5:6:7:8"));
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:8 1:g:3:4:5:6:7:8"));
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:8:9 1:2:3:4:5:6:7:8"));
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:8 1:2:3:4:5:6:7:8:0"));
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:8 1:2:3:4:5:6:7:8-A"));
-  EXPECT_FALSE(rules.AddRuleFromString(
-      "Preface 1:2:3:4:5:6:7:8-A-B 1:2:3:4:5:6:7:8"));
-
-  // Don't mix ipv4 and ipv6.
-  EXPECT_FALSE(rules.AddRuleFromString("Preface 1.2.3.4 1:2:3:4:5:6:7:8"));
-
-  EXPECT_FALSE(rules.SetRulesFromString("Preface 1.2.3.4 5.6.7.8; bad"));
-}
-
-
-TEST(IPMappingRulesTest, FirstRuleToMatch) {
-  std::string first_replacement("1.1.1.1");
-  IPAddressNumber first_replacement_address;
-  EXPECT_TRUE(ParseIPLiteralToNumber(first_replacement,
-              &first_replacement_address));
-
-  std::string second_replacement("2.2.2.2");
-  IPAddressNumber second_replacement_address;
-  EXPECT_TRUE(ParseIPLiteralToNumber(second_replacement,
-              &second_replacement_address));
-
-  IPMappingRules rules;
-  EXPECT_TRUE(
-      rules.SetRulesFromString("Preface *.*.*.* " + first_replacement +
-                               ";Preface *.*.*.* " + second_replacement));
-
-  IPAddressNumber address;
-  EXPECT_TRUE(ParseIPLiteralToNumber("7.7.7.7", &address));
-  int port = 80;
-  IPEndPoint endpoint(address, port);
-  AddressList addresses;
-  addresses.push_back(endpoint);
-
-  ASSERT_EQ(1u, addresses.size());
-  EXPECT_EQ(addresses[0], endpoint);
-  EXPECT_TRUE(rules.RewriteAddresses(&addresses));
-  ASSERT_EQ(2u, addresses.size());
-  EXPECT_EQ(addresses[1], endpoint);
-  // The last rule added  to the list has the highest priority (overriding
-  // previous rules, and matching first).
-  EXPECT_NE(addresses[0].address(), first_replacement_address);
-  EXPECT_EQ(addresses[0].address(), second_replacement_address);
-}
-
-}  // namespace
-
-}  // namespace net
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index b2ddd4a1ae..37c84c7f2a 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -313,6 +313,12 @@ NET_ERROR(CT_NO_SCTS_VERIFIED_OK, -158)
 // The SSL server sent us a fatal unrecognized_name alert.
 NET_ERROR(SSL_UNRECOGNIZED_NAME_ALERT, -159)
 
+// Failed to set or change the socket's receive buffer size as requested
+NET_ERROR(SOCKET_SET_RECEIVE_BUFFER_SIZE_ERROR, -160)
+
+// Failed to set or change the socket's send buffer size as requested.
+NET_ERROR(SOCKET_SET_SEND_BUFFER_SIZE_ERROR, -161)
+
 // Certificate error codes
 //
 // The values of certificate error codes must be consecutive.
diff --git a/net/base/net_util.h b/net/base/net_util.h
index 04a9b2dfbe..8a20a25811 100644
--- a/net/base/net_util.h
+++ b/net/base/net_util.h
@@ -530,10 +530,13 @@ struct NET_EXPORT NetworkInterface {
 
 typedef std::vector<NetworkInterface> NetworkInterfaceList;
 
-// Policy settings to include/exclude VMWare host only network interfaces.
-enum HostScopeVirtualInterfacePolicy {
-  INCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES,
-  EXCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES,
+// Policy settings to include/exclude network interfaces.
+enum HostAddressSelectionPolicy {
+  EXCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES           = 0x1,
+  INCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES           = 0x2,
+  // Include temp address only when interface has both permanent and
+  // temp addresses.
+  INCLUDE_ONLY_TEMP_IPV6_ADDRESS_IF_POSSIBLE      = 0x4,
 };
 
 // Returns list of network interfaces except loopback interface. If an
@@ -541,7 +544,7 @@ enum HostScopeVirtualInterfacePolicy {
 // the list for each address.
 // Can be called only on a thread that allows IO.
 NET_EXPORT bool GetNetworkList(NetworkInterfaceList* networks,
-                               HostScopeVirtualInterfacePolicy policy);
+                               int policy);
 
 // General category of the IEEE 802.11 (wifi) physical layer operating mode.
 enum WifiPHYLayerProtocol {
diff --git a/net/base/net_util_posix.cc b/net/base/net_util_posix.cc
index 8b9e067f4f..95b963e7a6 100644
--- a/net/base/net_util_posix.cc
+++ b/net/base/net_util_posix.cc
@@ -4,6 +4,7 @@
 
 #include "net/base/net_util.h"
 
+#include <set>
 #include <sys/types.h>
 
 #include "base/files/file_path.h"
@@ -23,12 +24,67 @@
 #include <net/if.h>
 #include <netinet/in.h>
 
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+#include <netinet/in_var.h>
+#include <sys/ioctl.h>
+#endif
+
 #if defined(OS_ANDROID)
 #include "net/android/network_library.h"
 #endif
 
 namespace net {
 
+namespace {
+
+#if !defined(OS_ANDROID)
+
+struct NetworkInterfaceInfo {
+  NetworkInterfaceInfo() : permanent(true) { }
+
+  bool permanent;  // IPv6 has notion of temporary address. If the address is
+                   // IPv6 and it's temporary this field will be false.
+  NetworkInterface interface;
+};
+
+// This method will remove permanent IPv6 addresses if a temporary address
+// is available for same network interface.
+void RemovePermanentIPv6AddressesWhereTemporaryExists(
+    std::vector<NetworkInterfaceInfo>* infos) {
+  if (!infos || infos->empty())
+    return;
+
+  // Build a set containing the names of interfaces with a temp IPv6 address
+  std::set<std::string> ifaces_with_temp_addrs;
+  std::vector<NetworkInterfaceInfo>::iterator i;
+  for (i = infos->begin(); i != infos->end(); ++i) {
+    if (!i->permanent && i->interface.address.size() == kIPv6AddressSize) {
+      ifaces_with_temp_addrs.insert(i->interface.name);
+    }
+  }
+
+  // If there are no such interfaces then there's no further work.
+  if (ifaces_with_temp_addrs.empty())
+    return;
+
+  // Search for permenent addresses belonging to same network interface.
+  for (i = infos->begin(); i != infos->end(); ) {
+    // If the address is IPv6 and it's permanent and there is temporary
+    // address for it, then we can remove this address.
+    if ((i->interface.address.size() == kIPv6AddressSize) && i->permanent &&
+        (ifaces_with_temp_addrs.find(i->interface.name) !=
+            ifaces_with_temp_addrs.end())) {
+      i = infos->erase(i);
+    } else {
+      ++i;
+    }
+  }
+}
+
+#endif
+
+}  // namespace
+
 bool FileURLToFilePath(const GURL& url, base::FilePath* path) {
   *path = base::FilePath();
   std::string& file_path_str = const_cast<std::string&>(path->value());
@@ -63,8 +119,7 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* path) {
   return !file_path_str.empty();
 }
 
-bool GetNetworkList(NetworkInterfaceList* networks,
-                    HostScopeVirtualInterfacePolicy policy) {
+bool GetNetworkList(NetworkInterfaceList* networks, int policy) {
 #if defined(OS_ANDROID)
   std::string network_list = android::GetNetworkList();
   base::StringTokenizer network_interfaces(network_list, "\n");
@@ -94,12 +149,21 @@ bool GetNetworkList(NetworkInterfaceList* networks,
   // getifaddrs() may require IO operations.
   base::ThreadRestrictions::AssertIOAllowed();
 
+  int ioctl_socket = -1;
+  if (policy & INCLUDE_ONLY_TEMP_IPV6_ADDRESS_IF_POSSIBLE) {
+    // we need a socket to query information about temporary address.
+    ioctl_socket = socket(AF_INET6, SOCK_DGRAM, 0);
+    DCHECK_GT(ioctl_socket, 0);
+  }
+
   ifaddrs *interfaces;
   if (getifaddrs(&interfaces) < 0) {
     PLOG(ERROR) << "getifaddrs";
     return false;
   }
 
+  std::vector<NetworkInterfaceInfo> network_infos;
+
   // Enumerate the addresses assigned to network interfaces which are up.
   for (ifaddrs *interface = interfaces;
        interface != NULL;
@@ -141,11 +205,29 @@ bool GetNetworkList(NetworkInterfaceList* networks,
 
     const std::string& name = interface->ifa_name;
     // Filter out VMware interfaces, typically named vmnet1 and vmnet8.
-    if (policy == EXCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES &&
+    if ((policy & EXCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES) &&
         ((name.find("vmnet") != std::string::npos) ||
          (name.find("vnic") != std::string::npos))) {
       continue;
     }
+
+    NetworkInterfaceInfo network_info;
+#if defined(OS_MACOSX) && !defined(OS_IOS)
+    // Check if this is a temporary address. Currently this is only supported
+    // on Mac.
+    if ((policy & INCLUDE_ONLY_TEMP_IPV6_ADDRESS_IF_POSSIBLE) &&
+        ioctl_socket >= 0 && addr->sa_family == AF_INET6) {
+      struct in6_ifreq ifr = {};
+      strncpy(ifr.ifr_name, interface->ifa_name, sizeof(ifr.ifr_name) - 1);
+      memcpy(&ifr.ifr_ifru.ifru_addr, interface->ifa_addr,
+             interface->ifa_addr->sa_len);
+      int rv = ioctl(ioctl_socket, SIOCGIFAFLAG_IN6, &ifr);
+      if (rv >= 0) {
+        network_info.permanent = !(ifr.ifr_ifru.ifru_flags & IN6_IFF_TEMPORARY);
+      }
+    }
+#endif
+
     IPEndPoint address;
     if (address.FromSockAddr(addr, addr_size)) {
       uint8 net_mask = 0;
@@ -159,15 +241,25 @@ bool GetNetworkList(NetworkInterfaceList* networks,
           net_mask = MaskPrefixLength(netmask.address());
         }
       }
+      network_info.interface = NetworkInterface(
+          name, name, if_nametoindex(name.c_str()),
+          address.address(), net_mask);
 
-      networks->push_back(
-          NetworkInterface(name, name, if_nametoindex(name.c_str()),
-                           address.address(), net_mask));
+      network_infos.push_back(NetworkInterfaceInfo(network_info));
     }
   }
-
   freeifaddrs(interfaces);
+  if (ioctl_socket >= 0) {
+    close(ioctl_socket);
+  }
+
+  if (policy & INCLUDE_ONLY_TEMP_IPV6_ADDRESS_IF_POSSIBLE) {
+    RemovePermanentIPv6AddressesWhereTemporaryExists(&network_infos);
+  }
 
+  for (size_t i = 0; i < network_infos.size(); ++i) {
+    networks->push_back(network_infos[i].interface);
+  }
   return true;
 #endif
 }
diff --git a/net/base/net_util_win.cc b/net/base/net_util_win.cc
index f415808d8d..de85ce59e9 100644
--- a/net/base/net_util_win.cc
+++ b/net/base/net_util_win.cc
@@ -138,8 +138,7 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
   return true;
 }
 
-bool GetNetworkList(NetworkInterfaceList* networks,
-                    HostScopeVirtualInterfacePolicy policy) {
+bool GetNetworkList(NetworkInterfaceList* networks, int policy) {
   // GetAdaptersAddresses() may require IO operations.
   base::ThreadRestrictions::AssertIOAllowed();
   bool is_xp = base::win::GetVersion() < base::win::VERSION_VISTA;
diff --git a/net/base/network_change_notifier_win_unittest.cc b/net/base/network_change_notifier_win_unittest.cc
index 96dcd13e58..878060eefb 100644
--- a/net/base/network_change_notifier_win_unittest.cc
+++ b/net/base/network_change_notifier_win_unittest.cc
@@ -228,12 +228,14 @@ TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailStart) {
   StartWatchingAndFail();
 }
 
-TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailStartOnce) {
+// https://code.google.com/p/chromium/issues/detail?id=356401
+TEST_F(NetworkChangeNotifierWinTest, FLAKY_NetChangeWinFailStartOnce) {
   StartWatchingAndFail();
   RetryAndSucceed();
 }
 
-TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailStartTwice) {
+// https://code.google.com/p/chromium/issues/detail?id=356401
+TEST_F(NetworkChangeNotifierWinTest, FLAKY_NetChangeWinFailStartTwice) {
   StartWatchingAndFail();
   RetryAndFail();
   RetryAndSucceed();
@@ -244,13 +246,15 @@ TEST_F(NetworkChangeNotifierWinTest, NetChangeWinSignal) {
   SignalAndSucceed();
 }
 
-TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailSignalOnce) {
+// https://code.google.com/p/chromium/issues/detail?id=356401
+TEST_F(NetworkChangeNotifierWinTest, FLAKY_NetChangeWinFailSignalOnce) {
   StartWatchingAndSucceed();
   SignalAndFail();
   RetryAndSucceed();
 }
 
-TEST_F(NetworkChangeNotifierWinTest, NetChangeWinFailSignalTwice) {
+// https://code.google.com/p/chromium/issues/detail?id=356401
+TEST_F(NetworkChangeNotifierWinTest, FLAKY_NetChangeWinFailSignalTwice) {
   StartWatchingAndSucceed();
   SignalAndFail();
   RetryAndFail();
diff --git a/net/base/network_delegate.cc b/net/base/network_delegate.cc
index 517868ab60..d30a4ab4c8 100644
--- a/net/base/network_delegate.cc
+++ b/net/base/network_delegate.cc
@@ -39,12 +39,16 @@ int NetworkDelegate::NotifyHeadersReceived(
     URLRequest* request,
     const CompletionCallback& callback,
     const HttpResponseHeaders* original_response_headers,
-    scoped_refptr<HttpResponseHeaders>* override_response_headers) {
+    scoped_refptr<HttpResponseHeaders>* override_response_headers,
+    GURL* allowed_unsafe_redirect_url) {
   DCHECK(CalledOnValidThread());
   DCHECK(original_response_headers);
   DCHECK(!callback.is_null());
-  return OnHeadersReceived(request, callback, original_response_headers,
-                           override_response_headers);
+  return OnHeadersReceived(request,
+                           callback,
+                           original_response_headers,
+                           override_response_headers,
+                           allowed_unsafe_redirect_url);
 }
 
 void NetworkDelegate::NotifyResponseStarted(URLRequest* request) {
@@ -155,7 +159,8 @@ int NetworkDelegate::OnHeadersReceived(
     URLRequest* request,
     const CompletionCallback& callback,
     const HttpResponseHeaders* original_response_headers,
-    scoped_refptr<HttpResponseHeaders>* override_response_headers) {
+    scoped_refptr<HttpResponseHeaders>* override_response_headers,
+    GURL* allowed_unsafe_redirect_url) {
   return OK;
 }
 
diff --git a/net/base/network_delegate.h b/net/base/network_delegate.h
index 882701ce5b..4f930cf6b7 100644
--- a/net/base/network_delegate.h
+++ b/net/base/network_delegate.h
@@ -69,7 +69,8 @@ class NET_EXPORT NetworkDelegate : public base::NonThreadSafe {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers);
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url);
   void NotifyBeforeRedirect(URLRequest* request,
                             const GURL& new_location);
   void NotifyResponseStarted(URLRequest* request);
@@ -140,7 +141,8 @@ class NET_EXPORT NetworkDelegate : public base::NonThreadSafe {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers);
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url);
 
   // Called right after a redirect response code was received.
   // |new_location| is only valid until OnURLRequestDestroyed is called for this
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index 04f330ff88..8ee4069752 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -20,7 +20,7 @@
 
 #if defined(USE_NSS) || defined(OS_IOS)
 #include "net/cert/cert_verify_proc_nss.h"
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
 #include "net/cert/cert_verify_proc_openssl.h"
 #elif defined(OS_ANDROID)
 #include "net/cert/cert_verify_proc_android.h"
@@ -167,7 +167,7 @@ bool ExaminePublicKeys(const scoped_refptr<X509Certificate>& cert,
 CertVerifyProc* CertVerifyProc::CreateDefault() {
 #if defined(USE_NSS) || defined(OS_IOS)
   return new CertVerifyProcNSS();
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   return new CertVerifyProcOpenSSL();
 #elif defined(OS_ANDROID)
   return new CertVerifyProcAndroid();
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index 9d7e7503ba..6567d1656f 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -157,7 +157,7 @@ TEST_F(CertVerifyProcTest, DISABLED_WithoutRevocationChecking) {
                    &verify_result));
 }
 
-#if defined(OS_ANDROID) || defined(USE_OPENSSL)
+#if defined(OS_ANDROID) || defined(USE_OPENSSL_CERTS)
 // TODO(jnd): http://crbug.com/117478 - EV verification is not yet supported.
 #define MAYBE_EVVerification DISABLED_EVVerification
 #else
@@ -724,7 +724,7 @@ TEST_F(CertVerifyProcTest, InvalidKeyUsage) {
                      NULL,
                      empty_cert_list_,
                      &verify_result);
-#if defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   // This certificate has two errors: "invalid key usage" and "untrusted CA".
   // However, OpenSSL returns only one (the latter), and we can't detect
   // the other errors.
@@ -1013,6 +1013,9 @@ TEST_F(CertVerifyProcTest, IsIssuedByKnownRootIgnoresTestRoots) {
   EXPECT_EQ(0U, verify_result.cert_status);
   // But should not be marked as a known root.
   EXPECT_FALSE(verify_result.is_issued_by_known_root);
+
+  root_certs->Clear();
+  EXPECT_TRUE(root_certs->IsEmpty());
 }
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
@@ -1133,6 +1136,8 @@ TEST_F(CertVerifyProcTest, CybertrustGTERoot) {
   EXPECT_EQ(OK, error);
   EXPECT_EQ(0U, verify_result.cert_status);
 
+  TestRootCerts::GetInstance()->Clear();
+  EXPECT_TRUE(TestRootCerts::GetInstance()->IsEmpty());
 }
 #endif
 
@@ -1402,7 +1407,7 @@ TEST_P(CertVerifyProcWeakDigestTest, Verify) {
 const WeakDigestTestData kVerifyRootCATestData[] = {
   { "weak_digest_md5_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, false },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { "weak_digest_md4_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, false, false },
@@ -1417,7 +1422,7 @@ INSTANTIATE_TEST_CASE_P(VerifyRoot, CertVerifyProcWeakDigestTest,
 const WeakDigestTestData kVerifyIntermediateCATestData[] = {
   { "weak_digest_sha1_root.pem", "weak_digest_md5_intermediate.pem",
     "weak_digest_sha1_ee.pem", true, false, false },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
     "weak_digest_sha1_ee.pem", false, true, false },
@@ -1440,7 +1445,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
 const WeakDigestTestData kVerifyEndEntityTestData[] = {
   { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_md5_ee.pem", true, false, false },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem",
     "weak_digest_md4_ee.pem", false, true, false },
@@ -1464,7 +1469,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(MAYBE_VerifyEndEntity,
 const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
   { NULL, "weak_digest_md5_intermediate.pem", "weak_digest_sha1_ee.pem",
     true, false, false },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { NULL, "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem",
     false, true, false },
@@ -1489,7 +1494,7 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
 const WeakDigestTestData kVerifyIncompleteEETestData[] = {
   { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md5_ee.pem",
     true, false, false },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { NULL, "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem",
     false, true, false },
@@ -1516,7 +1521,7 @@ const WeakDigestTestData kVerifyMixedTestData[] = {
     "weak_digest_md2_ee.pem", true, false, true },
   { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem",
     "weak_digest_md5_ee.pem", true, false, true },
-#if defined(USE_OPENSSL) || defined(OS_WIN)
+#if defined(USE_OPENSSL_CERTS) || defined(OS_WIN)
   // MD4 is not supported by OS X / NSS
   { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem",
     "weak_digest_md2_ee.pem", false, true, true },
diff --git a/net/cert/test_root_certs.h b/net/cert/test_root_certs.h
index cf35a2af12..84c163a5bb 100644
--- a/net/cert/test_root_certs.h
+++ b/net/cert/test_root_certs.h
@@ -12,7 +12,7 @@
 
 #if defined(USE_NSS) || defined(OS_IOS)
 #include <list>
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
 #include <vector>
 #elif defined(OS_WIN)
 #include <windows.h>
@@ -25,7 +25,7 @@
 
 #if defined(USE_NSS)
 typedef struct CERTCertificateStr CERTCertificate;
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
 typedef struct x509_st X509;
 #endif
 
@@ -78,7 +78,7 @@ class NET_EXPORT TestRootCerts {
   // be trusted. By default, this is true, indicating that the TestRootCerts
   // are used in addition to OS trust store.
   void SetAllowSystemTrust(bool allow_system_trust);
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   const std::vector<scoped_refptr<X509Certificate> >&
       temporary_roots() const { return temporary_roots_; }
   bool Contains(X509* cert) const;
@@ -106,7 +106,7 @@ class NET_EXPORT TestRootCerts {
   // settings, in order to restore them when Clear() is called.
   class TrustEntry;
   std::list<TrustEntry*> trust_cache_;
-#elif defined(USE_OPENSSL) && !defined(OS_ANDROID)
+#elif defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   std::vector<scoped_refptr<X509Certificate> > temporary_roots_;
 #elif defined(OS_WIN)
   HCERTSTORE temporary_roots_;
diff --git a/net/cert/test_root_certs_unittest.cc b/net/cert/test_root_certs_unittest.cc
index 81926bee12..a2cf695f95 100644
--- a/net/cert/test_root_certs_unittest.cc
+++ b/net/cert/test_root_certs_unittest.cc
@@ -135,7 +135,7 @@ TEST(TestRootCertsTest, OverrideTrust) {
   EXPECT_EQ(bad_verify_result.cert_status, restored_verify_result.cert_status);
 }
 
-#if defined(USE_NSS) || (defined(USE_OPENSSL) && !defined(OS_ANDROID))
+#if defined(USE_NSS) || (defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID))
 TEST(TestRootCertsTest, Contains) {
   // Another test root certificate.
   const char kRootCertificateFile2[] = "2048-rsa-root.pem";
diff --git a/net/cert/x509_certificate.h b/net/cert/x509_certificate.h
index 43ed01414e..7aa48f068f 100644
--- a/net/cert/x509_certificate.h
+++ b/net/cert/x509_certificate.h
@@ -25,7 +25,7 @@
 #include <CoreFoundation/CFArray.h>
 #include <Security/SecBase.h>
 
-#elif defined(USE_OPENSSL)
+#elif defined(USE_OPENSSL_CERTS)
 // Forward declaration; real one in <x509.h>
 typedef struct x509_st X509;
 typedef struct x509_store_st X509_STORE;
@@ -58,7 +58,7 @@ class NET_EXPORT X509Certificate
   typedef PCCERT_CONTEXT OSCertHandle;
 #elif defined(OS_MACOSX)
   typedef SecCertificateRef OSCertHandle;
-#elif defined(USE_OPENSSL)
+#elif defined(USE_OPENSSL_CERTS)
   typedef X509* OSCertHandle;
 #elif defined(USE_NSS)
   typedef struct CERTCertificateStr* OSCertHandle;
@@ -304,7 +304,7 @@ class NET_EXPORT X509Certificate
   PCCERT_CONTEXT CreateOSCertChainForCert() const;
 #endif
 
-#if defined(USE_OPENSSL)
+#if defined(USE_OPENSSL_CERTS)
   // Returns a handle to a global, in-memory certificate store. We
   // use it for test code, e.g. importing the test server's certificate.
   static X509_STORE* cert_store();
@@ -413,7 +413,7 @@ class NET_EXPORT X509Certificate
   // Common object initialization code.  Called by the constructors only.
   void Initialize();
 
-#if defined(USE_OPENSSL)
+#if defined(USE_OPENSSL_CERTS)
   // Resets the store returned by cert_store() to default state. Used by
   // TestRootCerts to undo modifications.
   static void ResetCertStore();
diff --git a/net/cert/x509_certificate_mac.cc b/net/cert/x509_certificate_mac.cc
index a7f862469b..ab479384a1 100644
--- a/net/cert/x509_certificate_mac.cc
+++ b/net/cert/x509_certificate_mac.cc
@@ -196,33 +196,6 @@ void AddCertificatesFromBytes(const char* data, size_t length,
   }
 }
 
-struct CSSMOIDString {
-  const CSSM_OID* oid_;
-  std::string string_;
-};
-
-typedef std::vector<CSSMOIDString> CSSMOIDStringVector;
-
-class ScopedEncodedCertResults {
- public:
-  explicit ScopedEncodedCertResults(CSSM_TP_RESULT_SET* results)
-      : results_(results) { }
-  ~ScopedEncodedCertResults() {
-    if (results_) {
-      CSSM_ENCODED_CERT* encCert =
-          reinterpret_cast<CSSM_ENCODED_CERT*>(results_->Results);
-      for (uint32 i = 0; i < results_->NumberOfResults; i++) {
-        crypto::CSSMFree(encCert[i].CertBlob.Data);
-      }
-      crypto::CSSMFree(results_->Results);
-      crypto::CSSMFree(results_);
-    }
-  }
-
- private:
-  CSSM_TP_RESULT_SET* results_;
-};
-
 }  // namespace
 
 void X509Certificate::Initialize() {
diff --git a/net/cert_verify_status_android_java.target.darwin-arm.mk b/net/cert_verify_status_android_java.target.darwin-arm.mk
index 0ee66cf95f..1dfb9bd68b 100644
--- a/net/cert_verify_status_android_java.target.darwin-arm.mk
+++ b/net/cert_verify_status_android_java.target.darwin-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.darwin-mips.mk b/net/cert_verify_status_android_java.target.darwin-mips.mk
index 73fb42ad58..745c8c2bb1 100644
--- a/net/cert_verify_status_android_java.target.darwin-mips.mk
+++ b/net/cert_verify_status_android_java.target.darwin-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.darwin-x86.mk b/net/cert_verify_status_android_java.target.darwin-x86.mk
index df708b986c..492877cf67 100644
--- a/net/cert_verify_status_android_java.target.darwin-x86.mk
+++ b/net/cert_verify_status_android_java.target.darwin-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.darwin-x86_64.mk b/net/cert_verify_status_android_java.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..cdabc2bda2
--- /dev/null
+++ b/net/cert_verify_status_android_java.target.darwin-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_cert_verify_status_android_java_gyp
+LOCAL_MODULE_STEM := cert_verify_status_android_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_cert_verify_status_android_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'android/cert_verify_status_android_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/CertVerifyStatusAndroid.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: $(LOCAL_PATH)/net/android/java/CertVerifyStatusAndroid.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/android/cert_verify_status_android_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java" "--template=android/java/CertVerifyStatusAndroid.template"
+
+.PHONY: net_cert_verify_status_android_java_gyp_rule_trigger
+net_cert_verify_status_android_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_cert_verify_status_android_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_cert_verify_status_android_java_gyp
+
+# Alias gyp target name.
+.PHONY: cert_verify_status_android_java
+cert_verify_status_android_java: net_cert_verify_status_android_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/cert_verify_status_android_java.target.linux-arm.mk b/net/cert_verify_status_android_java.target.linux-arm.mk
index 0ee66cf95f..1dfb9bd68b 100644
--- a/net/cert_verify_status_android_java.target.linux-arm.mk
+++ b/net/cert_verify_status_android_java.target.linux-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.linux-mips.mk b/net/cert_verify_status_android_java.target.linux-mips.mk
index 73fb42ad58..745c8c2bb1 100644
--- a/net/cert_verify_status_android_java.target.linux-mips.mk
+++ b/net/cert_verify_status_android_java.target.linux-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.linux-x86.mk b/net/cert_verify_status_android_java.target.linux-x86.mk
index df708b986c..492877cf67 100644
--- a/net/cert_verify_status_android_java.target.linux-x86.mk
+++ b/net/cert_verify_status_android_java.target.linux-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/cert_verify_status_android_java.target.linux-x86_64.mk b/net/cert_verify_status_android_java.target.linux-x86_64.mk
new file mode 100644
index 0000000000..cdabc2bda2
--- /dev/null
+++ b/net/cert_verify_status_android_java.target.linux-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_cert_verify_status_android_java_gyp
+LOCAL_MODULE_STEM := cert_verify_status_android_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_cert_verify_status_android_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'android/cert_verify_status_android_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/CertVerifyStatusAndroid.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java: $(LOCAL_PATH)/net/android/java/CertVerifyStatusAndroid.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/android/cert_verify_status_android_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java" "--template=android/java/CertVerifyStatusAndroid.template"
+
+.PHONY: net_cert_verify_status_android_java_gyp_rule_trigger
+net_cert_verify_status_android_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertVerifyStatusAndroid.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_cert_verify_status_android_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_cert_verify_status_android_java_gyp
+
+# Alias gyp target name.
+.PHONY: cert_verify_status_android_java
+cert_verify_status_android_java: net_cert_verify_status_android_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/certificate_mime_types_java.target.darwin-arm.mk b/net/certificate_mime_types_java.target.darwin-arm.mk
index 65c5467137..9b2ad25704 100644
--- a/net/certificate_mime_types_java.target.darwin-arm.mk
+++ b/net/certificate_mime_types_java.target.darwin-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.darwin-mips.mk b/net/certificate_mime_types_java.target.darwin-mips.mk
index 6cef8b573b..21f56e893a 100644
--- a/net/certificate_mime_types_java.target.darwin-mips.mk
+++ b/net/certificate_mime_types_java.target.darwin-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.darwin-x86.mk b/net/certificate_mime_types_java.target.darwin-x86.mk
index 15771ebc48..3df90609fc 100644
--- a/net/certificate_mime_types_java.target.darwin-x86.mk
+++ b/net/certificate_mime_types_java.target.darwin-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.darwin-x86_64.mk b/net/certificate_mime_types_java.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..b424379376
--- /dev/null
+++ b/net/certificate_mime_types_java.target.darwin-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_certificate_mime_types_java_gyp
+LOCAL_MODULE_STEM := certificate_mime_types_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_certificate_mime_types_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'base/mime_util_certificate_type_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/CertificateMimeType.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: $(LOCAL_PATH)/net/android/java/CertificateMimeType.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/base/mime_util_certificate_type_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java" "--template=android/java/CertificateMimeType.template"
+
+.PHONY: net_certificate_mime_types_java_gyp_rule_trigger
+net_certificate_mime_types_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_certificate_mime_types_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_certificate_mime_types_java_gyp
+
+# Alias gyp target name.
+.PHONY: certificate_mime_types_java
+certificate_mime_types_java: net_certificate_mime_types_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/certificate_mime_types_java.target.linux-arm.mk b/net/certificate_mime_types_java.target.linux-arm.mk
index 65c5467137..9b2ad25704 100644
--- a/net/certificate_mime_types_java.target.linux-arm.mk
+++ b/net/certificate_mime_types_java.target.linux-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.linux-mips.mk b/net/certificate_mime_types_java.target.linux-mips.mk
index 6cef8b573b..21f56e893a 100644
--- a/net/certificate_mime_types_java.target.linux-mips.mk
+++ b/net/certificate_mime_types_java.target.linux-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.linux-x86.mk b/net/certificate_mime_types_java.target.linux-x86.mk
index 15771ebc48..3df90609fc 100644
--- a/net/certificate_mime_types_java.target.linux-x86.mk
+++ b/net/certificate_mime_types_java.target.linux-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/certificate_mime_types_java.target.linux-x86_64.mk b/net/certificate_mime_types_java.target.linux-x86_64.mk
new file mode 100644
index 0000000000..b424379376
--- /dev/null
+++ b/net/certificate_mime_types_java.target.linux-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_certificate_mime_types_java_gyp
+LOCAL_MODULE_STEM := certificate_mime_types_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_certificate_mime_types_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'base/mime_util_certificate_type_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/CertificateMimeType.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java: $(LOCAL_PATH)/net/android/java/CertificateMimeType.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/base/mime_util_certificate_type_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java" "--template=android/java/CertificateMimeType.template"
+
+.PHONY: net_certificate_mime_types_java_gyp_rule_trigger
+net_certificate_mime_types_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/CertificateMimeType.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_certificate_mime_types_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_certificate_mime_types_java_gyp
+
+# Alias gyp target name.
+.PHONY: certificate_mime_types_java
+certificate_mime_types_java: net_certificate_mime_types_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/cookies/cookie_monster.h b/net/cookies/cookie_monster.h
index 455484ef1b..5a06922391 100644
--- a/net/cookies/cookie_monster.h
+++ b/net/cookies/cookie_monster.h
@@ -187,11 +187,6 @@ class NET_EXPORT CookieMonster : public CookieStore {
       const CookieOptions& options,
       const GetCookieListCallback& callback);
 
-  // Invokes GetAllCookiesForURLWithOptions with options set to include HTTP
-  // only cookies.
-  void GetAllCookiesForURLAsync(const GURL& url,
-                                const GetCookieListCallback& callback);
-
   // Deletes all of the cookies.
   void DeleteAllAsync(const DeleteCallback& callback);
 
@@ -257,6 +252,12 @@ class NET_EXPORT CookieMonster : public CookieStore {
       const CookieOptions& options,
       const GetCookiesCallback& callback) OVERRIDE;
 
+  // Invokes GetAllCookiesForURLWithOptions with options set to include HTTP
+  // only cookies.
+  virtual void GetAllCookiesForURLAsync(
+      const GURL& url,
+      const GetCookieListCallback& callback) OVERRIDE;
+
   // Deletes all cookies with that might apply to |url| that has |cookie_name|.
   virtual void DeleteCookieAsync(
       const GURL& url, const std::string& cookie_name,
diff --git a/net/cookies/cookie_store.h b/net/cookies/cookie_store.h
index 730f7106a7..b2552a6cf0 100644
--- a/net/cookies/cookie_store.h
+++ b/net/cookies/cookie_store.h
@@ -15,6 +15,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
+#include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_options.h"
 
 class GURL;
@@ -28,8 +29,8 @@ class CookieMonster;
 class NET_EXPORT CookieStore : public base::RefCountedThreadSafe<CookieStore> {
  public:
   // Callback definitions.
-  typedef base::Callback<void(const std::string& cookie)>
-      GetCookiesCallback;
+  typedef base::Callback<void(const CookieList& cookies)> GetCookieListCallback;
+  typedef base::Callback<void(const std::string& cookie)> GetCookiesCallback;
   typedef base::Callback<void(bool success)> SetCookiesCallback;
   typedef base::Callback<void(int num_deleted)> DeleteCallback;
 
@@ -55,6 +56,12 @@ class NET_EXPORT CookieStore : public base::RefCountedThreadSafe<CookieStore> {
       const CookieOptions& options,
       const GetCookiesCallback& callback) = 0;
 
+  // Returns all matching cookies without marking them as accessed,
+  // including HTTP only cookies.
+  virtual void GetAllCookiesForURLAsync(
+      const GURL& url,
+      const GetCookieListCallback& callback) = 0;
+
   // Deletes the passed in cookie for the specified URL.
   virtual void DeleteCookieAsync(const GURL& url,
                                  const std::string& cookie_name,
diff --git a/net/cookies/cookie_store_test_helpers.cc b/net/cookies/cookie_store_test_helpers.cc
index 68086e1c4e..fdf2c1f1ee 100644
--- a/net/cookies/cookie_store_test_helpers.cc
+++ b/net/cookies/cookie_store_test_helpers.cc
@@ -68,6 +68,12 @@ void DelayedCookieMonster::GetCookiesWithOptionsAsync(
       base::TimeDelta::FromMilliseconds(kDelayedTime));
 }
 
+void DelayedCookieMonster::GetAllCookiesForURLAsync(
+    const GURL& url,
+    const GetCookieListCallback& callback) {
+  cookie_monster_->GetAllCookiesForURLAsync(url, callback);
+}
+
 void DelayedCookieMonster::InvokeSetCookiesCallback(
     const CookieMonster::SetCookiesCallback& callback) {
   if (!callback.is_null())
diff --git a/net/cookies/cookie_store_test_helpers.h b/net/cookies/cookie_store_test_helpers.h
index 3119e03229..84b83bc062 100644
--- a/net/cookies/cookie_store_test_helpers.h
+++ b/net/cookies/cookie_store_test_helpers.h
@@ -34,6 +34,10 @@ class DelayedCookieMonster : public CookieStore {
       const CookieOptions& options,
       const CookieMonster::GetCookiesCallback& callback) OVERRIDE;
 
+  virtual void GetAllCookiesForURLAsync(
+      const GURL& url,
+      const GetCookieListCallback& callback) OVERRIDE;
+
   virtual bool SetCookieWithOptions(const GURL& url,
                                     const std::string& cookie_line,
                                     const CookieOptions& options);
diff --git a/net/cronet/android/url_request_context_peer.cc b/net/cronet/android/url_request_context_peer.cc
index 2c754dbeac..e36763228e 100644
--- a/net/cronet/android/url_request_context_peer.cc
+++ b/net/cronet/android/url_request_context_peer.cc
@@ -44,7 +44,8 @@ class BasicNetworkDelegate : public net::NetworkDelegate {
       net::URLRequest* request,
       const net::CompletionCallback& callback,
       const net::HttpResponseHeaders* original_response_headers,
-      scoped_refptr<net::HttpResponseHeaders>* _response_headers) OVERRIDE {
+      scoped_refptr<net::HttpResponseHeaders>* _response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE {
     return net::OK;
   }
 
diff --git a/net/data/url_request_unittest/redirect302-to-echo-cacheable b/net/data/url_request_unittest/redirect302-to-echo-cacheable
new file mode 100644
index 0000000000..7898192261
--- /dev/null
+++ b/net/data/url_request_unittest/redirect302-to-echo-cacheable
@@ -0,0 +1 @@
+a
diff --git a/net/data/url_request_unittest/redirect302-to-echo-cacheable.mock-http-headers b/net/data/url_request_unittest/redirect302-to-echo-cacheable.mock-http-headers
new file mode 100644
index 0000000000..fce2271606
--- /dev/null
+++ b/net/data/url_request_unittest/redirect302-to-echo-cacheable.mock-http-headers
@@ -0,0 +1,4 @@
+HTTP/1.1 302 Yo
+Location: /echo
+Content-Length: 1
+Cache-control: max-age=60000
diff --git a/net/data/websocket/close-with-split-packet_wsh.py b/net/data/websocket/close-with-split-packet_wsh.py
index d5185c4114..3bd5b58b25 100644
--- a/net/data/websocket/close-with-split-packet_wsh.py
+++ b/net/data/websocket/close-with-split-packet_wsh.py
@@ -13,17 +13,12 @@ def web_socket_do_extra_handshake(_request):
 
 
 def web_socket_transfer_data(request):
-  line = request.ws_stream.receive_message()
-  if line is None:
-    return
-  if isinstance(line, unicode):
-    request.ws_stream.send_message(line, binary=False)
-  else:
-    request.ws_stream.send_message(line, binary=True)
+  # Just waiting...
+  request.ws_stream.receive_message()
 
 
 def web_socket_passive_closing_handshake(request):
-  code = struct.pack('!H', 1000)
+  code = struct.pack('!H', 3004)
   packet = stream.create_close_frame(code + 'split test'.encode('utf-8'))
   request.connection.write(packet[:1])
   request.connection.write(packet[1:])
diff --git a/net/data/websocket/split_packet_check.html b/net/data/websocket/split_packet_check.html
index 8e273ec284..a7f4c365f5 100644
--- a/net/data/websocket/split_packet_check.html
+++ b/net/data/websocket/split_packet_check.html
@@ -26,7 +26,7 @@ ws.onopen = function()
 ws.onclose = function(event)
 {
   // Check wasClean, then set proper title.
-  if (event.wasClean)
+  if (event.wasClean && event.code === 3004 && event.reason === 'split test')
     document.title = 'PASS';
   else
     document.title = 'FAIL';
diff --git a/net/disk_cache/backend_unittest.cc b/net/disk_cache/backend_unittest.cc
index 68da572deb..e118dc6a9b 100644
--- a/net/disk_cache/backend_unittest.cc
+++ b/net/disk_cache/backend_unittest.cc
@@ -668,6 +668,9 @@ TEST_F(DiskCacheBackendTest, ShutdownWithPendingCreate_Fast) {
 }
 #endif
 
+// Disabled on android since this test requires cache creator to create
+// blockfile caches.
+#if !defined(OS_ANDROID)
 TEST_F(DiskCacheTest, TruncatedIndex) {
   ASSERT_TRUE(CleanupCacheDir());
   base::FilePath index = cache_path_.AppendASCII("index");
@@ -693,6 +696,7 @@ TEST_F(DiskCacheTest, TruncatedIndex) {
 
   ASSERT_FALSE(backend);
 }
+#endif
 
 void DiskCacheBackendTest::BackendSetSize() {
   const int cache_size = 0x10000;  // 64 kB
@@ -1837,6 +1841,9 @@ class BadEntropyProvider : public base::FieldTrial::EntropyProvider {
 
 // Tests that the disk cache successfully joins the control group, dropping the
 // existing cache in favour of a new empty cache.
+// Disabled on android since this test requires cache creator to create
+// blockfile caches.
+#if !defined(OS_ANDROID)
 TEST_F(DiskCacheTest, SimpleCacheControlJoin) {
   base::Thread cache_thread("CacheThread");
   ASSERT_TRUE(cache_thread.StartWithOptions(
@@ -1867,6 +1874,7 @@ TEST_F(DiskCacheTest, SimpleCacheControlJoin) {
   ASSERT_EQ(net::OK, cb.GetResult(rv));
   EXPECT_EQ(0, base_cache->GetEntryCount());
 }
+#endif
 
 // Tests that the disk cache can restart in the control group preserving
 // existing entries.
@@ -1945,6 +1953,9 @@ TEST_F(DiskCacheTest, SimpleCacheControlLeave) {
 }
 
 // Tests that the cache is properly restarted on recovery error.
+// Disabled on android since this test requires cache creator to create
+// blockfile caches.
+#if !defined(OS_ANDROID)
 TEST_F(DiskCacheBackendTest, DeleteOld) {
   ASSERT_TRUE(CopyTestCache("wrong_version"));
   SetNewEviction();
@@ -1971,6 +1982,7 @@ TEST_F(DiskCacheBackendTest, DeleteOld) {
   cache_.reset();
   EXPECT_TRUE(CheckCacheIntegrity(cache_path_, new_eviction_, mask_));
 }
+#endif
 
 // We want to be able to deal with messed up entries on disk.
 void DiskCacheBackendTest::BackendInvalidEntry2() {
diff --git a/net/disk_cache/blockfile/backend_impl_v3.h b/net/disk_cache/blockfile/backend_impl_v3.h
index adb926c9a5..37f90aaf15 100644
--- a/net/disk_cache/blockfile/backend_impl_v3.h
+++ b/net/disk_cache/blockfile/backend_impl_v3.h
@@ -194,6 +194,7 @@ class NET_EXPORT_PRIVATE BackendImplV3 : public Backend {
  private:
   friend class EvictionV3;
   typedef base::hash_map<CacheAddr, EntryImplV3*> EntriesMap;
+  class Worker;
 
   void AdjustMaxCacheSize();
   bool InitStats(void* stats_data);
diff --git a/net/disk_cache/blockfile/backend_worker_v3.cc b/net/disk_cache/blockfile/backend_worker_v3.cc
index d02eee523a..ab432c4a39 100644
--- a/net/disk_cache/blockfile/backend_worker_v3.cc
+++ b/net/disk_cache/blockfile/backend_worker_v3.cc
@@ -8,28 +8,15 @@
 #include "base/bind_helpers.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
-#include "base/hash.h"
 #include "base/message_loop/message_loop.h"
-#include "base/metrics/field_trial.h"
-#include "base/metrics/histogram.h"
-#include "base/metrics/stats_counters.h"
-#include "base/rand_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
-#include "base/sys_info.h"
-#include "base/threading/thread_restrictions.h"
 #include "base/time/time.h"
 #include "base/timer/timer.h"
 #include "net/base/net_errors.h"
-#include "net/disk_cache/blockfile/entry_impl.h"
 #include "net/disk_cache/blockfile/errors.h"
 #include "net/disk_cache/blockfile/experiments.h"
 #include "net/disk_cache/blockfile/file.h"
-#include "net/disk_cache/blockfile/histogram_macros.h"
-#include "net/disk_cache/cache_util.h"
-
-// Provide a BackendImpl object to macros from histogram_macros.h.
-#define CACHE_UMA_BACKEND_IMPL_OBJ this
 
 using base::Time;
 using base::TimeDelta;
@@ -37,6 +24,8 @@ using base::TimeTicks;
 
 namespace {
 
+#if defined(V3_NOT_JUST_YET_READY)
+
 const char* kIndexName = "index";
 
 // Seems like ~240 MB correspond to less than 50k entries for 99% of the people.
@@ -96,6 +85,7 @@ bool InitExperiment(disk_cache::IndexHeader* header, bool cache_created) {
   header->experiment = disk_cache::NO_EXPERIMENT;
   return true;
 }
+#endif  // defined(V3_NOT_JUST_YET_READY).
 
 }  // namespace
 
@@ -103,31 +93,15 @@ bool InitExperiment(disk_cache::IndexHeader* header, bool cache_created) {
 
 namespace disk_cache {
 
-BackendImpl::BackendImpl(const base::FilePath& path,
-                         base::MessageLoopProxy* cache_thread,
-                         net::NetLog* net_log)
-    : background_queue_(this, cache_thread),
-      path_(path),
-      block_files_(path),
-      mask_(0),
-      max_size_(0),
-      up_ticks_(0),
-      cache_type_(net::DISK_CACHE),
-      uma_report_(0),
-      user_flags_(0),
-      init_(false),
-      restarted_(false),
-      unit_test_(false),
-      read_only_(false),
-      disabled_(false),
-      new_eviction_(false),
-      first_timer_(true),
-      user_load_(false),
-      net_log_(net_log),
-      done_(true, false),
-      ptr_factory_(this) {
+BackendImplV3::Worker::Worker(const base::FilePath& path,
+                              base::MessageLoopProxy* main_thread)
+      : path_(path),
+        block_files_(path),
+        init_(false) {
 }
 
+#if defined(V3_NOT_JUST_YET_READY)
+
 int BackendImpl::SyncInit() {
 #if defined(NET_BUILD_STRESS_CACHE)
   // Start evictions right away.
@@ -482,4 +456,13 @@ bool BackendImpl::InitStats() {
   return true;
 }
 
+#endif  // defined(V3_NOT_JUST_YET_READY).
+
+int BackendImplV3::Worker::Init(const CompletionCallback& callback) {
+  return net::ERR_FAILED;
+}
+
+BackendImplV3::Worker::~Worker() {
+}
+
 }  // namespace disk_cache
diff --git a/net/disk_cache/blockfile/backend_worker_v3.h b/net/disk_cache/blockfile/backend_worker_v3.h
index a184d8f707..d0829b9634 100644
--- a/net/disk_cache/blockfile/backend_worker_v3.h
+++ b/net/disk_cache/blockfile/backend_worker_v3.h
@@ -9,30 +9,23 @@
 
 #include "base/containers/hash_tables.h"
 #include "base/files/file_path.h"
-#include "base/timer/timer.h"
+#include "net/disk_cache/blockfile/addr.h"
+#include "net/disk_cache/blockfile/backend_impl_v3.h"
 #include "net/disk_cache/blockfile/block_files.h"
-#include "net/disk_cache/blockfile/eviction.h"
-#include "net/disk_cache/blockfile/in_flight_backend_io.h"
-#include "net/disk_cache/blockfile/rankings.h"
-#include "net/disk_cache/blockfile/stats.h"
-#include "net/disk_cache/blockfile/stress_support.h"
-#include "net/disk_cache/blockfile/trace.h"
-#include "net/disk_cache/disk_cache.h"
 
 namespace disk_cache {
 
-// This class implements the Backend interface. An object of this
-// class handles the operations of the cache for a particular profile.
-class NET_EXPORT_PRIVATE BackendImpl : public Backend {
-  friend class Eviction;
+class BackendImplV3::Worker : public base::RefCountedThreadSafe<Worker> {
  public:
-  BackendImpl(const base::FilePath& path, base::MessageLoopProxy* cache_thread,
-              net::NetLog* net_log);
+  Worker(const base::FilePath& path, base::MessageLoopProxy* main_thread);
 
   // Performs general initialization for this current instance of the cache.
   int Init(const CompletionCallback& callback);
 
  private:
+  friend class base::RefCountedThreadSafe<Worker>;
+
+  ~Worker();
   void CleanupCache();
 
   // Returns the full name for an external storage file.
@@ -42,9 +35,6 @@ class NET_EXPORT_PRIVATE BackendImpl : public Backend {
   bool CreateBackingStore(disk_cache::File* file);
   bool InitBackingStore(bool* file_created);
 
-  // Reports an uncommon, recoverable error.
-  void ReportError(int error);
-
   // Performs basic checks on the index file. Returns false on failure.
   bool CheckIndex();
 
@@ -52,7 +42,7 @@ class NET_EXPORT_PRIVATE BackendImpl : public Backend {
   BlockFiles block_files_;  // Set of files used to store all data.
   bool init_;  // controls the initialization of the system.
 
-  DISALLOW_COPY_AND_ASSIGN(BackendImpl);
+  DISALLOW_COPY_AND_ASSIGN(Worker);
 };
 
 }  // namespace disk_cache
diff --git a/net/disk_cache/cache_creator.cc b/net/disk_cache/cache_creator.cc
index 102e10218a..866df10e37 100644
--- a/net/disk_cache/cache_creator.cc
+++ b/net/disk_cache/cache_creator.cc
@@ -79,11 +79,14 @@ CacheCreator::~CacheCreator() {
 }
 
 int CacheCreator::Run() {
-  // TODO(gavinp,pasko): Turn Simple Cache on for more cache types as
-  // appropriate.
-  if (backend_type_ == net::CACHE_BACKEND_SIMPLE &&
-      (type_ == net::DISK_CACHE || type_ == net::APP_CACHE ||
-       type_ == net::MEDIA_CACHE)) {
+#if defined(OS_ANDROID)
+  static const bool kSimpleBackendIsDefault = true;
+#else
+  static const bool kSimpleBackendIsDefault = false;
+#endif
+  if (backend_type_ == net::CACHE_BACKEND_SIMPLE ||
+      (backend_type_ == net::CACHE_BACKEND_DEFAULT &&
+       kSimpleBackendIsDefault)) {
     disk_cache::SimpleBackendImpl* simple_cache =
         new disk_cache::SimpleBackendImpl(path_, max_bytes_, type_,
                                           thread_.get(), net_log_);
@@ -91,6 +94,11 @@ int CacheCreator::Run() {
     return simple_cache->Init(
         base::Bind(&CacheCreator::OnIOComplete, base::Unretained(this)));
   }
+
+  // Avoid references to blockfile functions on Android to reduce binary size.
+#if defined(OS_ANDROID)
+  return net::ERR_FAILED;
+#else
   disk_cache::BackendImpl* new_cache =
       new disk_cache::BackendImpl(path_, thread_.get(), net_log_);
   created_cache_.reset(new_cache);
@@ -101,6 +109,7 @@ int CacheCreator::Run() {
       base::Bind(&CacheCreator::OnIOComplete, base::Unretained(this)));
   DCHECK_EQ(net::ERR_IO_PENDING, rv);
   return rv;
+#endif
 }
 
 void CacheCreator::DoCallback(int result) {
diff --git a/net/disk_cache/simple/simple_histogram_macros.h b/net/disk_cache/simple/simple_histogram_macros.h
index f800a6f40a..39fdff73ce 100644
--- a/net/disk_cache/simple/simple_histogram_macros.h
+++ b/net/disk_cache/simple/simple_histogram_macros.h
@@ -16,6 +16,9 @@
 
 #define SIMPLE_CACHE_THUNK(uma_type, args) UMA_HISTOGRAM_##uma_type args
 
+// TODO(pasko): add histograms for shader cache as soon as it becomes possible
+// for a user to get shader cache with the |SimpleBackendImpl| without altering
+// any flags.
 #define SIMPLE_CACHE_UMA(uma_type, uma_name, cache_type, ...)          \
   do {                                                                 \
     switch (cache_type) {                                              \
@@ -31,6 +34,8 @@
         SIMPLE_CACHE_THUNK(                                            \
             uma_type, ("SimpleCache.Media." uma_name, ##__VA_ARGS__)); \
         break;                                                         \
+      case net::SHADER_CACHE:                                          \
+        break;                                                         \
       default:                                                         \
         NOTREACHED();                                                  \
         break;                                                         \
diff --git a/net/dns/mapped_ip_resolver.cc b/net/dns/mapped_ip_resolver.cc
deleted file mode 100644
index 58d01a374e..0000000000
--- a/net/dns/mapped_ip_resolver.cc
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/dns/mapped_ip_resolver.h"
-
-#include "base/strings/string_util.h"
-#include "net/base/net_errors.h"
-#include "net/base/net_util.h"
-
-namespace net {
-
-MappedIPResolver::MappedIPResolver(scoped_ptr<HostResolver> impl)
-    : impl_(impl.Pass()),
-      weak_factory_(this) {
-}
-
-MappedIPResolver::~MappedIPResolver() {}
-
-int MappedIPResolver::Resolve(const RequestInfo& info,
-                              RequestPriority priority,
-                              AddressList* addresses,
-                              const CompletionCallback& callback,
-                              RequestHandle* out_req,
-                              const BoundNetLog& net_log) {
-  CompletionCallback new_callback = base::Bind(&MappedIPResolver::ApplyRules,
-                                               weak_factory_.GetWeakPtr(),
-                                               callback, addresses);
-  int rv = impl_->Resolve(info, priority, addresses, new_callback, out_req,
-                          net_log);
-  if (rv == OK)
-    rules_.RewriteAddresses(addresses);
-  return rv;
-}
-
-int MappedIPResolver::ResolveFromCache(const RequestInfo& info,
-                                       AddressList* addresses,
-                                       const BoundNetLog& net_log) {
-  int rv = impl_->ResolveFromCache(info, addresses, net_log);
-  if (rv == OK)
-    rules_.RewriteAddresses(addresses);
-  return rv;
-}
-
-void MappedIPResolver::CancelRequest(RequestHandle req) {
-  impl_->CancelRequest(req);
-}
-
-void MappedIPResolver::SetDnsClientEnabled(bool enabled) {
-  impl_->SetDnsClientEnabled(enabled);
-}
-
-HostCache* MappedIPResolver::GetHostCache() {
-  return impl_->GetHostCache();
-}
-
-base::Value* MappedIPResolver::GetDnsConfigAsValue() const {
-  return impl_->GetDnsConfigAsValue();
-}
-
-void MappedIPResolver::ApplyRules(const CompletionCallback& original_callback,
-                                  AddressList* addresses,
-                                  int rv) const {
-  if (rv == OK)
-    rules_.RewriteAddresses(addresses);
-  original_callback.Run(rv);
-}
-
-}  // namespace net
diff --git a/net/dns/mapped_ip_resolver.h b/net/dns/mapped_ip_resolver.h
deleted file mode 100644
index a3c7aa8dc5..0000000000
--- a/net/dns/mapped_ip_resolver.h
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_DNS_MAPPED_IP_RESOLVER_H_
-#define NET_DNS_MAPPED_IP_RESOLVER_H_
-
-#include <string>
-
-#include "base/memory/scoped_ptr.h"
-#include "base/memory/weak_ptr.h"
-#include "net/base/ip_mapping_rules.h"
-#include "net/base/net_export.h"
-#include "net/dns/host_resolver.h"
-
-namespace net {
-
-// This class wraps an existing HostResolver instance, but modifies the
-// resolution response by inserting or replacing IP addresses before returning
-// it.  Currently, the only directive suported is a "PREFACE" directive which
-// (when a match exists) inserts a single IP address at the start of a list.
-class NET_EXPORT MappedIPResolver : public HostResolver {
- public:
-  // Creates a MappedIPResolver that forwards all of its requests through
-  // |impl|.
-  explicit MappedIPResolver(scoped_ptr<HostResolver> impl);
-  virtual ~MappedIPResolver();
-
-  // Adds a rule to our IP mapper rules_.
-  // The most recently added rule "has priority" and will be used first (in
-  // preference to) any previous rules.  Once one rule is found that matches,
-  // no other rules will be considered.
-  // See ip_mapping_rules.h for syntax and semantics.
-  // Returns true if the rule was successfully parsed and added.
-  bool AddRuleFromString(const std::string& rule_string) {
-    return rules_.AddRuleFromString(rule_string);
-  }
-
-  // Takes a semicolon separated list of rules, and assigns them to this
-  // resolver, discarding any previously added or set rules.
-  void SetRulesFromString(const std::string& rules_string) {
-    rules_.SetRulesFromString(rules_string);
-  }
-
-  // HostResolver methods:
-  virtual int Resolve(const RequestInfo& info,
-                      RequestPriority priority,
-                      AddressList* addresses,
-                      const CompletionCallback& callback,
-                      RequestHandle* out_req,
-                      const BoundNetLog& net_log) OVERRIDE;
-  virtual int ResolveFromCache(const RequestInfo& info,
-                               AddressList* addresses,
-                               const BoundNetLog& net_log) OVERRIDE;
-  virtual void CancelRequest(RequestHandle req) OVERRIDE;
-  virtual void SetDnsClientEnabled(bool enabled) OVERRIDE;
-  virtual HostCache* GetHostCache() OVERRIDE;
-  virtual base::Value* GetDnsConfigAsValue() const OVERRIDE;
-
- private:
-  // Modify the list of resolution |addresses| according to |rules_|, and then
-  // calls the |original_callback| with network error code |rv|.
-  void ApplyRules(const CompletionCallback& original_callback,
-                  AddressList* addresses,
-                  int rv) const;
-
-  scoped_ptr<HostResolver> impl_;
-  IPMappingRules rules_;
-
-  base::WeakPtrFactory<MappedIPResolver> weak_factory_;
-  DISALLOW_COPY_AND_ASSIGN(MappedIPResolver);
-};
-
-}  // namespace net
-
-#endif  // NET_DNS_MAPPED_IP_RESOLVER_H_
diff --git a/net/filter/filter.cc b/net/filter/filter.cc
index 244abaea10..90d91e161b 100644
--- a/net/filter/filter.cc
+++ b/net/filter/filter.cc
@@ -8,6 +8,7 @@
 #include "base/strings/string_util.h"
 #include "net/base/io_buffer.h"
 #include "net/base/mime_util.h"
+#include "net/base/net_util.h"
 #include "net/filter/gzip_filter.h"
 #include "net/filter/sdch_filter.h"
 
@@ -170,11 +171,14 @@ void Filter::FixupEncodingTypes(
       encoding_types->clear();
 
     GURL url;
+    std::string disposition;
     success = filter_context.GetURL(&url);
     DCHECK(success);
-    base::FilePath filename =
-        base::FilePath().AppendASCII(url.ExtractFileName());
-    base::FilePath::StringType extension = filename.Extension();
+    filter_context.GetContentDisposition(&disposition);
+    // Don't supply a MIME type here, since that may cause disk IO.
+    base::FilePath filepath = GenerateFileName(url, disposition, "UTF-8", "",
+                                               "", "");
+    base::FilePath::StringType extension = filepath.Extension();
 
     if (filter_context.IsDownload()) {
       // We don't want to decompress gzipped files when the user explicitly
diff --git a/net/filter/filter.h b/net/filter/filter.h
index 1b4d2f5bf2..81890997ef 100644
--- a/net/filter/filter.h
+++ b/net/filter/filter.h
@@ -74,6 +74,10 @@ class NET_EXPORT_PRIVATE FilterContext {
   // Return false if gurl is not present.
   virtual bool GetURL(GURL* gurl) const = 0;
 
+  // What Content-Disposition header came with this data?
+  // Return false if no header was present.
+  virtual bool GetContentDisposition(std::string* disposition) const = 0;
+
   // When was this data requested from a server?
   virtual base::Time GetRequestTime() const = 0;
 
diff --git a/net/filter/filter_unittest.cc b/net/filter/filter_unittest.cc
index 3b912520f8..08a2861699 100644
--- a/net/filter/filter_unittest.cc
+++ b/net/filter/filter_unittest.cc
@@ -82,6 +82,23 @@ TEST(FilterTest, ApacheGzip) {
   EXPECT_EQ(Filter::FILTER_TYPE_GZIP, encoding_types.front());
 }
 
+TEST(FilterTest, GzipContentDispositionFilename) {
+  MockFilterContext filter_context;
+  filter_context.SetSdchResponse(false);
+
+  const std::string kGzipMime("application/x-tar");
+  const std::string kContentDisposition("attachment; filename=\"foo.tgz\"");
+  const std::string kURL("http://foo.com/getfoo.php");
+  std::vector<Filter::FilterType> encoding_types;
+
+  encoding_types.push_back(Filter::FILTER_TYPE_GZIP);
+  filter_context.SetMimeType(kGzipMime);
+  filter_context.SetURL(GURL(kURL));
+  filter_context.SetContentDisposition(kContentDisposition);
+  Filter::FixupEncodingTypes(filter_context, &encoding_types);
+  ASSERT_EQ(0U, encoding_types.size());
+}
+
 TEST(FilterTest, SdchEncoding) {
   // Handle content encodings including SDCH.
   const std::string kTextHtmlMime("text/html");
diff --git a/net/filter/mock_filter_context.cc b/net/filter/mock_filter_context.cc
index ec6db0111c..06905c0e07 100644
--- a/net/filter/mock_filter_context.cc
+++ b/net/filter/mock_filter_context.cc
@@ -27,6 +27,13 @@ bool MockFilterContext::GetURL(GURL* gurl) const {
   return true;
 }
 
+bool MockFilterContext::GetContentDisposition(std::string* disposition) const {
+  if (content_disposition_.empty())
+    return false;
+  *disposition = content_disposition_;
+  return true;
+}
+
 // What was this data requested from a server?
 base::Time MockFilterContext::GetRequestTime() const {
   return request_time_;
diff --git a/net/filter/mock_filter_context.h b/net/filter/mock_filter_context.h
index 00fc8ed6ce..21e56ac92e 100644
--- a/net/filter/mock_filter_context.h
+++ b/net/filter/mock_filter_context.h
@@ -19,6 +19,9 @@ class MockFilterContext : public FilterContext {
 
   void SetMimeType(const std::string& mime_type) { mime_type_ = mime_type; }
   void SetURL(const GURL& gurl) { gurl_ = gurl; }
+  void SetContentDisposition(const std::string& disposition) {
+    content_disposition_ = disposition;
+  }
   void SetRequestTime(const base::Time time) { request_time_ = time; }
   void SetCached(bool is_cached) { is_cached_content_ = is_cached; }
   void SetDownload(bool is_download) { is_download_ = is_download; }
@@ -33,6 +36,10 @@ class MockFilterContext : public FilterContext {
   // Return false if gurl is not present.
   virtual bool GetURL(GURL* gurl) const OVERRIDE;
 
+  // What Content-Disposition did the server supply for this data?
+  // Return false if Content-Disposition was not present.
+  virtual bool GetContentDisposition(std::string* disposition) const OVERRIDE;
+
   // What was this data requested from a server?
   virtual base::Time GetRequestTime() const OVERRIDE;
 
@@ -55,6 +62,7 @@ class MockFilterContext : public FilterContext {
  private:
   int buffer_size_;
   std::string mime_type_;
+  std::string content_disposition_;
   GURL gurl_;
   base::Time request_time_;
   bool is_cached_content_;
diff --git a/net/http/disk_cache_based_quic_server_info_unittest.cc b/net/http/disk_cache_based_quic_server_info_unittest.cc
index 3321240055..ed0e1b7157 100644
--- a/net/http/disk_cache_based_quic_server_info_unittest.cc
+++ b/net/http/disk_cache_based_quic_server_info_unittest.cc
@@ -14,6 +14,7 @@
 #include "net/quic/quic_session_key.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+namespace net {
 namespace {
 
 // This is an empty transaction, needed to register the URL and the test mode.
@@ -22,7 +23,7 @@ const MockTransaction kHostInfoTransaction1 = {
   "",
   base::Time(),
   "",
-  net::LOAD_NORMAL,
+  LOAD_NORMAL,
   "",
   "",
   base::Time(),
@@ -37,7 +38,7 @@ const MockTransaction kHostInfoTransaction2 = {
   "",
   base::Time(),
   "",
-  net::LOAD_NORMAL,
+  LOAD_NORMAL,
   "",
   "",
   base::Time(),
@@ -47,6 +48,8 @@ const MockTransaction kHostInfoTransaction2 = {
   0
 };
 
+}  // namespace
+
 // Tests that we can delete a DiskCacheBasedQuicServerInfo object in a
 // completion callback for DiskCacheBasedQuicServerInfo::WaitForDataReady.
 TEST(DiskCacheBasedQuicServerInfo, DeleteInCallback) {
@@ -54,32 +57,33 @@ TEST(DiskCacheBasedQuicServerInfo, DeleteInCallback) {
   // of quic_server_info->WaitForDataReady(), so that the callback will run.
   MockBlockingBackendFactory* factory = new MockBlockingBackendFactory();
   MockHttpCache cache(factory);
-  net::QuicSessionKey server_key("www.verisign.com", 443, true);
-  scoped_ptr<net::QuicServerInfo> quic_server_info(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+  QuicSessionKey server_key("www.verisign.com", 443, true,
+                            kPrivacyModeDisabled);
+  scoped_ptr<QuicServerInfo> quic_server_info(
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   quic_server_info->Start();
-  net::TestCompletionCallback callback;
+  TestCompletionCallback callback;
   int rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::ERR_IO_PENDING, rv);
+  EXPECT_EQ(ERR_IO_PENDING, rv);
   // Now complete the backend creation and let the callback run.
   factory->FinishCreation();
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
 }
 
 // Tests the basic logic of storing, retrieving and updating data.
 TEST(DiskCacheBasedQuicServerInfo, Update) {
   MockHttpCache cache;
   AddMockTransaction(&kHostInfoTransaction1);
-  net::TestCompletionCallback callback;
+  TestCompletionCallback callback;
 
-  net::QuicSessionKey server_key("www.google.com", 443, true);
-  scoped_ptr<net::QuicServerInfo> quic_server_info(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  scoped_ptr<QuicServerInfo> quic_server_info(
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   quic_server_info->Start();
   int rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
 
-  net::QuicServerInfo::State* state = quic_server_info->mutable_state();
+  QuicServerInfo::State* state = quic_server_info->mutable_state();
   EXPECT_TRUE(state->certs.empty());
   const string server_config_a = "server_config_a";
   const string source_address_token_a = "source_address_token_a";
@@ -98,10 +102,10 @@ TEST(DiskCacheBasedQuicServerInfo, Update) {
 
   // Open the stored QuicServerInfo.
   quic_server_info.reset(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   quic_server_info->Start();
   rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
 
   // And now update the data.
   state = quic_server_info->mutable_state();
@@ -114,13 +118,13 @@ TEST(DiskCacheBasedQuicServerInfo, Update) {
 
   // Verify that the state was updated.
   quic_server_info.reset(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   quic_server_info->Start();
   rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
   EXPECT_TRUE(quic_server_info->IsDataReady());
 
-  const net::QuicServerInfo::State& state1 = quic_server_info->state();
+  const QuicServerInfo::State& state1 = quic_server_info->state();
   EXPECT_EQ(server_config_a, state1.server_config);
   EXPECT_EQ(source_address_token_a, state1.source_address_token);
   EXPECT_EQ(server_config_sig_a, state1.server_config_sig);
@@ -136,17 +140,17 @@ TEST(DiskCacheBasedQuicServerInfo, UpdateDifferentPorts) {
   MockHttpCache cache;
   AddMockTransaction(&kHostInfoTransaction1);
   AddMockTransaction(&kHostInfoTransaction2);
-  net::TestCompletionCallback callback;
+  TestCompletionCallback callback;
 
   // Persist data for port 443.
-  net::QuicSessionKey server_key1("www.google.com", 443, true);
-  scoped_ptr<net::QuicServerInfo> quic_server_info1(
-      new net::DiskCacheBasedQuicServerInfo(server_key1, cache.http_cache()));
+  QuicSessionKey server_key1("www.google.com", 443, true, kPrivacyModeDisabled);
+  scoped_ptr<QuicServerInfo> quic_server_info1(
+      new DiskCacheBasedQuicServerInfo(server_key1, cache.http_cache()));
   quic_server_info1->Start();
   int rv = quic_server_info1->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
 
-  net::QuicServerInfo::State* state1 = quic_server_info1->mutable_state();
+  QuicServerInfo::State* state1 = quic_server_info1->mutable_state();
   EXPECT_TRUE(state1->certs.empty());
   const string server_config_a = "server_config_a";
   const string source_address_token_a = "source_address_token_a";
@@ -163,14 +167,14 @@ TEST(DiskCacheBasedQuicServerInfo, UpdateDifferentPorts) {
   base::MessageLoop::current()->RunUntilIdle();
 
   // Persist data for port 80.
-  net::QuicSessionKey server_key2("www.google.com", 80, false);
-  scoped_ptr<net::QuicServerInfo> quic_server_info2(
-      new net::DiskCacheBasedQuicServerInfo(server_key2, cache.http_cache()));
+  QuicSessionKey server_key2("www.google.com", 80, false, kPrivacyModeDisabled);
+  scoped_ptr<QuicServerInfo> quic_server_info2(
+      new DiskCacheBasedQuicServerInfo(server_key2, cache.http_cache()));
   quic_server_info2->Start();
   rv = quic_server_info2->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
 
-  net::QuicServerInfo::State* state2 = quic_server_info2->mutable_state();
+  QuicServerInfo::State* state2 = quic_server_info2->mutable_state();
   EXPECT_TRUE(state2->certs.empty());
   const string server_config_b = "server_config_b";
   const string source_address_token_b = "source_address_token_b";
@@ -187,14 +191,14 @@ TEST(DiskCacheBasedQuicServerInfo, UpdateDifferentPorts) {
   base::MessageLoop::current()->RunUntilIdle();
 
   // Verify the stored QuicServerInfo for port 443.
-  scoped_ptr<net::QuicServerInfo> quic_server_info(
-      new net::DiskCacheBasedQuicServerInfo(server_key1, cache.http_cache()));
+  scoped_ptr<QuicServerInfo> quic_server_info(
+      new DiskCacheBasedQuicServerInfo(server_key1, cache.http_cache()));
   quic_server_info->Start();
   rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
   EXPECT_TRUE(quic_server_info->IsDataReady());
 
-  const net::QuicServerInfo::State& state_a = quic_server_info->state();
+  const QuicServerInfo::State& state_a = quic_server_info->state();
   EXPECT_EQ(server_config_a, state_a.server_config);
   EXPECT_EQ(source_address_token_a, state_a.source_address_token);
   EXPECT_EQ(server_config_sig_a, state_a.server_config_sig);
@@ -203,13 +207,13 @@ TEST(DiskCacheBasedQuicServerInfo, UpdateDifferentPorts) {
 
   // Verify the stored QuicServerInfo for port 80.
   quic_server_info.reset(
-      new net::DiskCacheBasedQuicServerInfo(server_key2, cache.http_cache()));
+      new DiskCacheBasedQuicServerInfo(server_key2, cache.http_cache()));
   quic_server_info->Start();
   rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
   EXPECT_TRUE(quic_server_info->IsDataReady());
 
-  const net::QuicServerInfo::State& state_b = quic_server_info->state();
+  const QuicServerInfo::State& state_b = quic_server_info->state();
   EXPECT_EQ(server_config_b, state_b.server_config);
   EXPECT_EQ(source_address_token_b, state_b.source_address_token);
   EXPECT_EQ(server_config_sig_b, state_b.server_config_sig);
@@ -224,18 +228,18 @@ TEST(DiskCacheBasedQuicServerInfo, UpdateDifferentPorts) {
 TEST(DiskCacheBasedQuicServerInfo, IsReadyToPersist) {
   MockHttpCache cache;
   AddMockTransaction(&kHostInfoTransaction1);
-  net::TestCompletionCallback callback;
+  TestCompletionCallback callback;
 
-  net::QuicSessionKey server_key("www.google.com", 443, true);
-  scoped_ptr<net::QuicServerInfo> quic_server_info(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  scoped_ptr<QuicServerInfo> quic_server_info(
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   EXPECT_FALSE(quic_server_info->IsDataReady());
   quic_server_info->Start();
   int rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
   EXPECT_TRUE(quic_server_info->IsDataReady());
 
-  net::QuicServerInfo::State* state = quic_server_info->mutable_state();
+  QuicServerInfo::State* state = quic_server_info->mutable_state();
   EXPECT_TRUE(state->certs.empty());
   const string server_config_a = "server_config_a";
   const string source_address_token_a = "source_address_token_a";
@@ -260,13 +264,13 @@ TEST(DiskCacheBasedQuicServerInfo, IsReadyToPersist) {
 
   // Verify that the state was updated.
   quic_server_info.reset(
-      new net::DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
+      new DiskCacheBasedQuicServerInfo(server_key, cache.http_cache()));
   quic_server_info->Start();
   rv = quic_server_info->WaitForDataReady(callback.callback());
-  EXPECT_EQ(net::OK, callback.GetResult(rv));
+  EXPECT_EQ(OK, callback.GetResult(rv));
   EXPECT_TRUE(quic_server_info->IsDataReady());
 
-  const net::QuicServerInfo::State& state1 = quic_server_info->state();
+  const QuicServerInfo::State& state1 = quic_server_info->state();
   EXPECT_EQ(server_config_a, state1.server_config);
   EXPECT_EQ(source_address_token_a, state1.source_address_token);
   EXPECT_EQ(server_config_sig_a, state1.server_config_sig);
@@ -276,4 +280,4 @@ TEST(DiskCacheBasedQuicServerInfo, IsReadyToPersist) {
   RemoveMockTransaction(&kHostInfoTransaction1);
 }
 
-}  // namespace
+}  // namespace net
diff --git a/net/http/http_cache_transaction.cc b/net/http/http_cache_transaction.cc
index 6aae9718d3..e2d46be453 100644
--- a/net/http/http_cache_transaction.cc
+++ b/net/http/http_cache_transaction.cc
@@ -446,6 +446,9 @@ void HttpCache::Transaction::StopCaching() {
   // entry how it is (it will be marked as truncated at destruction), and let
   // the next piece of code that executes know that we are now reading directly
   // from the net.
+  // TODO(mmenke):  This doesn't release the lock on the cache entry, so a
+  //                future request for the resource will be blocked on this one.
+  //                Fix this.
   if (cache_.get() && entry_ && (mode_ & WRITE) && network_trans_.get() &&
       !is_sparse_ && !range_requested_) {
     mode_ = NONE;
diff --git a/net/http/http_network_session.cc b/net/http/http_network_session.cc
index 73d969c8e3..0e0765337f 100644
--- a/net/http/http_network_session.cc
+++ b/net/http/http_network_session.cc
@@ -113,6 +113,7 @@ HttpNetworkSession::HttpNetworkSession(const Params& params)
                                params.client_socket_factory :
                                net::ClientSocketFactory::GetDefaultFactory(),
                            params.http_server_properties,
+                           params.cert_verifier,
                            params.quic_crypto_client_stream_factory,
                            params.quic_random ? params.quic_random :
                                QuicRandom::GetInstance(),
diff --git a/net/http/http_network_transaction_unittest.cc b/net/http/http_network_transaction_unittest.cc
index 7dda13ecde..ca0678533d 100644
--- a/net/http/http_network_transaction_unittest.cc
+++ b/net/http/http_network_transaction_unittest.cc
@@ -289,7 +289,8 @@ class HttpNetworkTransactionTest
   // failure should cause the network transaction to resend the request, and the
   // other argument should be NULL.
   void PreconnectErrorResendRequestTest(const MockWrite* write_failure,
-                                        const MockRead* read_failure);
+                                        const MockRead* read_failure,
+                                        bool use_spdy);
 
   SimpleGetHelperResult SimpleGetHelperForData(StaticSocketDataProvider* data[],
                                                size_t data_count) {
@@ -1308,46 +1309,81 @@ void HttpNetworkTransactionTest::KeepAliveConnectionResendRequestTest(
 
 void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
     const MockWrite* write_failure,
-    const MockRead* read_failure) {
+    const MockRead* read_failure,
+    bool use_spdy) {
   HttpRequestInfo request;
   request.method = "GET";
-  request.url = GURL("http://www.foo.com/");
+  request.url = GURL("https://www.foo.com/");
   request.load_flags = 0;
 
   CapturingNetLog net_log;
   session_deps_.net_log = &net_log;
   scoped_refptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
-  // Written data for successfully sending a request.
-  MockWrite data1_writes[] = {
-    MockWrite("GET / HTTP/1.1\r\n"
-              "Host: www.foo.com\r\n"
-              "Connection: keep-alive\r\n\r\n"),
-  };
+  SSLSocketDataProvider ssl1(ASYNC, OK);
+  SSLSocketDataProvider ssl2(ASYNC, OK);
+  if (use_spdy) {
+    ssl1.SetNextProto(GetParam());
+    ssl2.SetNextProto(GetParam());
+  }
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl1);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl2);
 
-  // Read results for the first request.
-  MockRead data1_reads[] = {
-    MockRead(ASYNC, OK),
-  };
+  // SPDY versions of the request and response.
+  scoped_ptr<SpdyFrame> spdy_request(spdy_util_.ConstructSpdyGet(
+      request.url.spec().c_str(), false, 1, DEFAULT_PRIORITY));
+  scoped_ptr<SpdyFrame> spdy_response(
+      spdy_util_.ConstructSpdyGetSynReply(NULL, 0, 1));
+  scoped_ptr<SpdyFrame> spdy_data(
+      spdy_util_.ConstructSpdyBodyFrame(1, "hello", 5, true));
 
+  // HTTP/1.1 versions of the request and response.
+  const char kHttpRequest[] = "GET / HTTP/1.1\r\n"
+      "Host: www.foo.com\r\n"
+      "Connection: keep-alive\r\n\r\n";
+  const char kHttpResponse[] = "HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\n";
+  const char kHttpData[] = "hello";
+
+  std::vector<MockRead> data1_reads;
+  std::vector<MockWrite> data1_writes;
   if (write_failure) {
     ASSERT_FALSE(read_failure);
-    data1_writes[0] = *write_failure;
+    data1_writes.push_back(*write_failure);
+    data1_reads.push_back(MockRead(ASYNC, OK));
   } else {
     ASSERT_TRUE(read_failure);
-    data1_reads[0] = *read_failure;
+    if (use_spdy) {
+      data1_writes.push_back(CreateMockWrite(*spdy_request));
+    } else {
+      data1_writes.push_back(MockWrite(kHttpRequest));
+    }
+    data1_reads.push_back(*read_failure);
   }
 
-  StaticSocketDataProvider data1(data1_reads, arraysize(data1_reads),
-                                 data1_writes, arraysize(data1_writes));
+  StaticSocketDataProvider data1(&data1_reads[0], data1_reads.size(),
+                                 &data1_writes[0], data1_writes.size());
   session_deps_.socket_factory->AddSocketDataProvider(&data1);
 
-  MockRead data2_reads[] = {
-    MockRead("HTTP/1.1 200 OK\r\nContent-Length: 5\r\n\r\n"),
-    MockRead("hello"),
-    MockRead(ASYNC, OK),
-  };
-  StaticSocketDataProvider data2(data2_reads, arraysize(data2_reads), NULL, 0);
+  std::vector<MockRead> data2_reads;
+  std::vector<MockWrite> data2_writes;
+
+  if (use_spdy) {
+    data2_writes.push_back(CreateMockWrite(*spdy_request, 0, ASYNC));
+
+    data2_reads.push_back(CreateMockRead(*spdy_response, 1, ASYNC));
+    data2_reads.push_back(CreateMockRead(*spdy_data, 2, ASYNC));
+    data2_reads.push_back(MockRead(ASYNC, OK, 3));
+  } else {
+    data2_writes.push_back(
+        MockWrite(ASYNC, kHttpRequest, strlen(kHttpRequest), 0));
+
+    data2_reads.push_back(
+        MockRead(ASYNC, kHttpResponse, strlen(kHttpResponse), 1));
+    data2_reads.push_back(MockRead(ASYNC, kHttpData, strlen(kHttpData), 2));
+    data2_reads.push_back(MockRead(ASYNC, OK, 3));
+  }
+  OrderedSocketData data2(&data2_reads[0], data2_reads.size(),
+                          &data2_writes[0], data2_writes.size());
   session_deps_.socket_factory->AddSocketDataProvider(&data2);
 
   // Preconnect a socket.
@@ -1360,7 +1396,7 @@ void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
   // Wait for the preconnect to complete.
   // TODO(davidben): Some way to wait for an idle socket count might be handy.
   base::RunLoop().RunUntilIdle();
-  EXPECT_EQ(1, GetIdleSocketCountInTransportSocketPool(session.get()));
+  EXPECT_EQ(1, GetIdleSocketCountInSSLSocketPool(session.get()));
 
   // Make the request.
   TestCompletionCallback callback;
@@ -1376,7 +1412,9 @@ void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
 
   LoadTimingInfo load_timing_info;
   EXPECT_TRUE(trans->GetLoadTimingInfo(&load_timing_info));
-  TestLoadTimingNotReused(load_timing_info, CONNECT_TIMING_HAS_DNS_TIMES);
+  TestLoadTimingNotReused(
+      load_timing_info,
+      CONNECT_TIMING_HAS_DNS_TIMES|CONNECT_TIMING_HAS_SSL_TIMES);
 
   const HttpResponseInfo* response = trans->GetResponseInfo();
   ASSERT_TRUE(response != NULL);
@@ -1387,7 +1425,7 @@ void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
   std::string response_data;
   rv = ReadTransaction(trans.get(), &response_data);
   EXPECT_EQ(OK, rv);
-  EXPECT_EQ("hello", response_data);
+  EXPECT_EQ(kHttpData, response_data);
 }
 
 TEST_P(HttpNetworkTransactionTest,
@@ -1409,17 +1447,43 @@ TEST_P(HttpNetworkTransactionTest, KeepAliveConnectionEOF) {
 TEST_P(HttpNetworkTransactionTest,
        PreconnectErrorNotConnectedOnWrite) {
   MockWrite write_failure(ASYNC, ERR_SOCKET_NOT_CONNECTED);
-  PreconnectErrorResendRequestTest(&write_failure, NULL);
+  PreconnectErrorResendRequestTest(&write_failure, NULL, false);
 }
 
 TEST_P(HttpNetworkTransactionTest, PreconnectErrorReset) {
   MockRead read_failure(ASYNC, ERR_CONNECTION_RESET);
-  PreconnectErrorResendRequestTest(NULL, &read_failure);
+  PreconnectErrorResendRequestTest(NULL, &read_failure, false);
 }
 
 TEST_P(HttpNetworkTransactionTest, PreconnectErrorEOF) {
   MockRead read_failure(SYNCHRONOUS, OK);  // EOF
-  PreconnectErrorResendRequestTest(NULL, &read_failure);
+  PreconnectErrorResendRequestTest(NULL, &read_failure, false);
+}
+
+TEST_P(HttpNetworkTransactionTest, PreconnectErrorAsyncEOF) {
+  MockRead read_failure(ASYNC, OK);  // EOF
+  PreconnectErrorResendRequestTest(NULL, &read_failure, false);
+}
+
+TEST_P(HttpNetworkTransactionTest,
+       SpdyPreconnectErrorNotConnectedOnWrite) {
+  MockWrite write_failure(ASYNC, ERR_SOCKET_NOT_CONNECTED);
+  PreconnectErrorResendRequestTest(&write_failure, NULL, true);
+}
+
+TEST_P(HttpNetworkTransactionTest, SpdyPreconnectErrorReset) {
+  MockRead read_failure(ASYNC, ERR_CONNECTION_RESET);
+  PreconnectErrorResendRequestTest(NULL, &read_failure, true);
+}
+
+TEST_P(HttpNetworkTransactionTest, SpdyPreconnectErrorEOF) {
+  MockRead read_failure(SYNCHRONOUS, OK);  // EOF
+  PreconnectErrorResendRequestTest(NULL, &read_failure, true);
+}
+
+TEST_P(HttpNetworkTransactionTest, SpdyPreconnectErrorAsyncEOF) {
+  MockRead read_failure(ASYNC, OK);  // EOF
+  PreconnectErrorResendRequestTest(NULL, &read_failure, true);
 }
 
 TEST_P(HttpNetworkTransactionTest, NonKeepAliveConnectionReset) {
diff --git a/net/http/http_proxy_client_socket_pool.cc b/net/http/http_proxy_client_socket_pool.cc
index 8d691b7dd8..e2529f8152 100644
--- a/net/http/http_proxy_client_socket_pool.cc
+++ b/net/http/http_proxy_client_socket_pool.cc
@@ -315,11 +315,11 @@ int HttpProxyConnectJob::DoSpdyProxyCreateStream() {
     }
   } else {
     // Create a session direct to the proxy itself
-    int rv = spdy_pool->CreateAvailableSessionFromSocket(
-        key, transport_socket_handle_.Pass(),
-        net_log(), OK, &spdy_session, /*using_ssl_*/ true);
-    if (rv < 0)
-      return rv;
+    spdy_session =
+        spdy_pool->CreateAvailableSessionFromSocket(
+            key, transport_socket_handle_.Pass(),
+            net_log(), OK, /*using_ssl_*/ true);
+    DCHECK(spdy_session);
   }
 
   next_state_ = STATE_SPDY_PROXY_CREATE_STREAM_COMPLETE;
diff --git a/net/http/http_stream_factory_impl_job.cc b/net/http/http_stream_factory_impl_job.cc
index 960bc582d9..09b58d403e 100644
--- a/net/http/http_stream_factory_impl_job.cc
+++ b/net/http/http_stream_factory_impl_job.cc
@@ -334,20 +334,23 @@ void HttpStreamFactoryImpl::Job::OnWebSocketHandshakeStreamReadyCallback() {
 }
 
 void HttpStreamFactoryImpl::Job::OnNewSpdySessionReadyCallback() {
-  DCHECK(!stream_.get());
+  DCHECK(stream_.get());
   DCHECK(!IsPreconnecting());
   DCHECK(using_spdy());
-  if (!new_spdy_session_)
-    return;
+  // Note: an event loop iteration has passed, so |new_spdy_session_| may be
+  // NULL at this point if the SpdySession closed immediately after creation.
   base::WeakPtr<SpdySession> spdy_session = new_spdy_session_;
   new_spdy_session_.reset();
   if (IsOrphaned()) {
-    stream_factory_->OnNewSpdySessionReady(
-        spdy_session, spdy_session_direct_, server_ssl_config_, proxy_info_,
-        was_npn_negotiated(), protocol_negotiated(), using_spdy(), net_log_);
+    if (spdy_session) {
+      stream_factory_->OnNewSpdySessionReady(
+          spdy_session, spdy_session_direct_, server_ssl_config_, proxy_info_,
+          was_npn_negotiated(), protocol_negotiated(), using_spdy(), net_log_);
+    }
     stream_factory_->OnOrphanedJobComplete(this);
   } else {
-    request_->OnNewSpdySessionReady(this, spdy_session, spdy_session_direct_);
+    request_->OnNewSpdySessionReady(
+        this, stream_.Pass(), spdy_session, spdy_session_direct_);
   }
   // |this| may be deleted after this call.
 }
@@ -740,8 +743,8 @@ int HttpStreamFactoryImpl::Job::DoInitConnection() {
     next_state_ = STATE_INIT_CONNECTION_COMPLETE;
     bool secure_quic = using_ssl_ || proxy_info_.is_quic();
     int rv = quic_request_.Request(
-        destination, secure_quic, request_info_.method,
-        session_->cert_verifier(), net_log_, io_callback_);
+        destination, secure_quic, request_info_.privacy_mode,
+        request_info_.method, net_log_, io_callback_);
     if (rv != OK) {
       // OK, there's no available QUIC session. Let |waiting_job_| resume
       // if it's paused.
@@ -1104,21 +1107,27 @@ int HttpStreamFactoryImpl::Job::DoCreateStream() {
     SpdySessionPool* spdy_pool = session_->spdy_session_pool();
     spdy_session = spdy_pool->FindAvailableSession(spdy_session_key, net_log_);
     if (!spdy_session) {
-      int error =
+      new_spdy_session_ =
           spdy_pool->CreateAvailableSessionFromSocket(spdy_session_key,
                                                       connection_.Pass(),
                                                       net_log_,
                                                       spdy_certificate_error_,
-                                                      &new_spdy_session_,
                                                       using_ssl_);
-      if (error != OK)
-        return error;
       const HostPortPair& host_port_pair = spdy_session_key.host_port_pair();
       base::WeakPtr<HttpServerProperties> http_server_properties =
           session_->http_server_properties();
       if (http_server_properties)
         http_server_properties->SetSupportsSpdy(host_port_pair, true);
       spdy_session_direct_ = direct;
+
+      // Create a SpdyHttpStream attached to the session;
+      // OnNewSpdySessionReadyCallback is not called until an event loop
+      // iteration later, so if the SpdySession is closed between then, allow
+      // reuse state from the underlying socket, sampled by SpdyHttpStream,
+      // bubble up to the request.
+      bool use_relative_url = direct || request_info_.url.SchemeIs("https");
+      stream_.reset(new SpdyHttpStream(new_spdy_session_, use_relative_url));
+
       return OK;
     }
   }
diff --git a/net/http/http_stream_factory_impl_request.cc b/net/http/http_stream_factory_impl_request.cc
index ff66f1475c..5f129ac267 100644
--- a/net/http/http_stream_factory_impl_request.cc
+++ b/net/http/http_stream_factory_impl_request.cc
@@ -291,11 +291,16 @@ HttpStreamFactoryImpl::Request::RemoveRequestFromHttpPipeliningRequestMap() {
 
 void HttpStreamFactoryImpl::Request::OnNewSpdySessionReady(
     Job* job,
+    scoped_ptr<HttpStream> stream,
     const base::WeakPtr<SpdySession>& spdy_session,
     bool direct) {
   DCHECK(job);
   DCHECK(job->using_spdy());
 
+  // Note: |spdy_session| may be NULL. In that case, |delegate_| should still
+  // receive |stream| so the error propogates up correctly, however there is no
+  // point in broadcasting |spdy_session| to other requests.
+
   // The first case is the usual case.
   if (!bound_job_.get()) {
     OrphanJobsExcept(job);
@@ -322,21 +327,20 @@ void HttpStreamFactoryImpl::Request::OnNewSpdySessionReady(
     // implemented.
     NOTREACHED();
   } else {
-    bool use_relative_url = direct || url().SchemeIs("https");
-    delegate_->OnStreamReady(
-        job->server_ssl_config(),
-        job->proxy_info(),
-        new SpdyHttpStream(spdy_session, use_relative_url));
+    delegate_->OnStreamReady(job->server_ssl_config(), job->proxy_info(),
+                             stream.release());
   }
   // |this| may be deleted after this point.
-  factory->OnNewSpdySessionReady(spdy_session,
-                                 direct,
-                                 used_ssl_config,
-                                 used_proxy_info,
-                                 was_npn_negotiated,
-                                 protocol_negotiated,
-                                 using_spdy,
-                                 net_log);
+  if (spdy_session) {
+    factory->OnNewSpdySessionReady(spdy_session,
+                                   direct,
+                                   used_ssl_config,
+                                   used_proxy_info,
+                                   was_npn_negotiated,
+                                   protocol_negotiated,
+                                   using_spdy,
+                                   net_log);
+  }
 }
 
 void HttpStreamFactoryImpl::Request::OrphanJobsExcept(Job* job) {
diff --git a/net/http/http_stream_factory_impl_request.h b/net/http/http_stream_factory_impl_request.h
index 3d3b2c8bd6..22c8ff2d48 100644
--- a/net/http/http_stream_factory_impl_request.h
+++ b/net/http/http_stream_factory_impl_request.h
@@ -16,6 +16,7 @@
 namespace net {
 
 class ClientSocketHandle;
+class HttpStream;
 class SpdySession;
 
 class HttpStreamFactoryImpl::Request : public HttpStreamRequest {
@@ -64,6 +65,7 @@ class HttpStreamFactoryImpl::Request : public HttpStreamRequest {
 
   // Called by an attached Job if it sets up a SpdySession.
   void OnNewSpdySessionReady(Job* job,
+                             scoped_ptr<HttpStream> stream,
                              const base::WeakPtr<SpdySession>& spdy_session,
                              bool direct);
 
diff --git a/net/http/http_transaction_unittest.cc b/net/http/http_transaction_unittest.cc
index fe904d909f..eed3c4fc8c 100644
--- a/net/http/http_transaction_unittest.cc
+++ b/net/http/http_transaction_unittest.cc
@@ -296,7 +296,10 @@ int MockNetworkTransaction::Read(net::IOBuffer* buf, int buf_len,
   return net::ERR_IO_PENDING;
 }
 
-void MockNetworkTransaction::StopCaching() {}
+void MockNetworkTransaction::StopCaching() {
+  if (transaction_factory_.get())
+    transaction_factory_->TransactionStopCaching();
+}
 
 bool MockNetworkTransaction::GetFullRequestHeaders(
     net::HttpRequestHeaders* headers) const {
@@ -439,6 +442,7 @@ void MockNetworkTransaction::RunCallback(
 MockNetworkLayer::MockNetworkLayer()
     : transaction_count_(0),
       done_reading_called_(false),
+      stop_caching_called_(false),
       last_create_transaction_priority_(net::DEFAULT_PRIORITY) {}
 
 MockNetworkLayer::~MockNetworkLayer() {}
@@ -447,6 +451,10 @@ void MockNetworkLayer::TransactionDoneReading() {
   done_reading_called_ = true;
 }
 
+void MockNetworkLayer::TransactionStopCaching() {
+  stop_caching_called_ = true;
+}
+
 int MockNetworkLayer::CreateTransaction(
     net::RequestPriority priority,
     scoped_ptr<net::HttpTransaction>* trans) {
diff --git a/net/http/http_transaction_unittest.h b/net/http/http_transaction_unittest.h
index 2572b1faad..5116f6585b 100644
--- a/net/http/http_transaction_unittest.h
+++ b/net/http/http_transaction_unittest.h
@@ -256,7 +256,9 @@ class MockNetworkLayer : public net::HttpTransactionFactory,
 
   int transaction_count() const { return transaction_count_; }
   bool done_reading_called() const { return done_reading_called_; }
+  bool stop_caching_called() const { return stop_caching_called_; }
   void TransactionDoneReading();
+  void TransactionStopCaching();
 
   // Returns the last priority passed to CreateTransaction, or
   // DEFAULT_PRIORITY if it hasn't been called yet.
@@ -289,6 +291,7 @@ class MockNetworkLayer : public net::HttpTransactionFactory,
  private:
   int transaction_count_;
   bool done_reading_called_;
+  bool stop_caching_called_;
   net::RequestPriority last_create_transaction_priority_;
   base::WeakPtr<MockNetworkTransaction> last_transaction_;
 };
diff --git a/net/http/transport_security_state.cc b/net/http/transport_security_state.cc
index 8498d26ed4..8142e09e82 100644
--- a/net/http/transport_security_state.cc
+++ b/net/http/transport_security_state.cc
@@ -718,8 +718,18 @@ bool TransportSecurityState::IsGooglePinnedProperty(const std::string& host,
 }
 
 // static
-const char* const* TransportSecurityState::GooglePinsForDebugging() {
-  return kGoogleAcceptableCerts;
+bool TransportSecurityState::GetPinsForDebugging(
+    const std::string& host,
+    const char* const** out_required_pins,
+    const char* const** out_excluded_pins) {
+  const std::string canonicalized_host = CanonicalizeHost(host);
+  const struct HSTSPreload* entry =
+      GetHSTSPreload(canonicalized_host, kPreloadedSTS, kNumPreloadedSTS);
+  if (!entry)
+    return false;
+  *out_required_pins = entry->pins.required_hashes;
+  *out_excluded_pins = entry->pins.excluded_hashes;
+  return true;
 }
 
 // static
diff --git a/net/http/transport_security_state.h b/net/http/transport_security_state.h
index 7696cbb4a6..8aaecb693c 100644
--- a/net/http/transport_security_state.h
+++ b/net/http/transport_security_state.h
@@ -248,11 +248,17 @@ class NET_EXPORT TransportSecurityState
   static bool IsGooglePinnedProperty(const std::string& host,
                                      bool sni_enabled);
 
-  // GooglePinsForDebugging returns an array of SHA-1 pins for Google
-  // properties - each 20 bytes long - with a NULL pointer signalling the end
-  // of the array. This is a temporary debugging measure to check for binary
-  // alteration / corruption.
-  static const char* const* GooglePinsForDebugging();
+  // GetPinsForDebugging finds the preloaded entry for the given host. If none
+  // exists, it returns false. Otherwise it returns true and sets |out_pins|
+  // and |out_bad_pins| to point to arrays of SHA-1 hashes, each 20 bytes long
+  // with a NULL pointer signalling the end of the array, for the required and
+  // excluded pins, respectively.
+  // This is a temporary debugging measure to check for binary alteration /
+  // corruption.
+  static bool GetPinsForDebugging(
+    const std::string& host,
+    const char* const** out_pins,
+    const char* const** out_bad_pins);
 
   // The maximum number of seconds for which we'll cache an HSTS request.
   static const long int kMaxHSTSAgeSecs;
diff --git a/net/http/transport_security_state_static.h b/net/http/transport_security_state_static.h
index e87233d057..661a6a8dc8 100644
--- a/net/http/transport_security_state_static.h
+++ b/net/http/transport_security_state_static.h
@@ -405,6 +405,7 @@ static const struct HSTSPreload kPreloadedSTS[] = {
   {17, true, "\004goto\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {18, true, "\005cloud\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {18, true, "\005glass\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
+  {18, true, "\005admin\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {17, false, "\004play\006google\003com", true, kGooglePins, DOMAIN_GOOGLE_COM },
   {20, true, "\006market\007android\003com", true, kGooglePins, DOMAIN_ANDROID_COM },
   {26, true, "\003ssl\020google-analytics\003com", true, kGooglePins, DOMAIN_GOOGLE_ANALYTICS_COM },
@@ -922,6 +923,7 @@ static const struct HSTSPreload kPreloadedSTS[] = {
   {19, false, "\003www\007banking\002co\002at", true, kNoPins, DOMAIN_NOT_PINNED },
   {19, false, "\003mbp\007banking\002co\002at", true, kNoPins, DOMAIN_NOT_PINNED },
   {13, false, "\007feedbin\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {9, true, "\004heha\002co", true, kNoPins, DOMAIN_NOT_PINNED },
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
diff --git a/net/http/transport_security_state_static.json b/net/http/transport_security_state_static.json
index 84dcf34eba..2af203cec4 100644
--- a/net/http/transport_security_state_static.json
+++ b/net/http/transport_security_state_static.json
@@ -184,6 +184,7 @@
     { "name": "goto.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "cloud.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     { "name": "glass.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
+    { "name": "admin.google.com", "include_subdomains": true, "mode": "force-https", "pins": "google" },
     // play.google.com doesn't have include_subdomains because of crbug.com/327834.
     { "name": "play.google.com", "mode": "force-https", "pins": "google" },
 
@@ -715,6 +716,7 @@
     { "name": "www.banking.co.at", "mode": "force-https" },
     { "name": "mbp.banking.co.at", "mode": "force-https" },
     { "name": "feedbin.com", "mode": "force-https" },
+    { "name": "heha.co", "include_subdomains": true, "mode": "force-https" },
 
     // Entries that are only valid if the client supports SNI.
     { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
diff --git a/net/http_server.target.darwin-arm.mk b/net/http_server.target.darwin-arm.mk
index 1dd00b6f7d..4b86b99902 100644
--- a/net/http_server.target.darwin-arm.mk
+++ b/net/http_server.target.darwin-arm.mk
@@ -83,6 +83,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -170,6 +171,7 @@ MY_DEFS_Release := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.darwin-mips.mk b/net/http_server.target.darwin-mips.mk
index b1abe01b59..8c9f4eb719 100644
--- a/net/http_server.target.darwin-mips.mk
+++ b/net/http_server.target.darwin-mips.mk
@@ -82,6 +82,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -168,6 +169,7 @@ MY_DEFS_Release := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.darwin-x86.mk b/net/http_server.target.darwin-x86.mk
index 114ac61c1b..c1ac63a219 100644
--- a/net/http_server.target.darwin-x86.mk
+++ b/net/http_server.target.darwin-x86.mk
@@ -83,6 +83,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -169,6 +170,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.darwin-x86_64.mk b/net/http_server.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..6b87e65c70
--- /dev/null
+++ b/net/http_server.target.darwin-x86_64.mk
@@ -0,0 +1,269 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := STATIC_LIBRARIES
+LOCAL_MODULE := net_http_server_gyp
+LOCAL_MODULE_SUFFIX := .a
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+GYP_GENERATED_OUTPUTS :=
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_CPP_EXTENSION := .cc
+LOCAL_GENERATED_SOURCES :=
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES := \
+	net/server/http_connection.cc \
+	net/server/http_server.cc \
+	net/server/http_server_request_info.cc \
+	net/server/http_server_response_info.cc \
+	net/server/web_socket.cc
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH) \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH) \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+
+LOCAL_LDFLAGS_Debug := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel \
+	-Wl,-O1 \
+	-Wl,--as-needed
+
+
+LOCAL_LDFLAGS_Release := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,-O1 \
+	-Wl,--as-needed \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel
+
+
+LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION))
+
+LOCAL_STATIC_LIBRARIES :=
+
+# Enable grouping to fix circular references
+LOCAL_GROUP_STATIC_LIBRARIES := true
+
+LOCAL_SHARED_LIBRARIES := \
+	libstlport \
+	libdl
+
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_http_server_gyp
+
+# Alias gyp target name.
+.PHONY: http_server
+http_server: net_http_server_gyp
+
+include $(BUILD_STATIC_LIBRARY)
diff --git a/net/http_server.target.linux-arm.mk b/net/http_server.target.linux-arm.mk
index 1dd00b6f7d..4b86b99902 100644
--- a/net/http_server.target.linux-arm.mk
+++ b/net/http_server.target.linux-arm.mk
@@ -83,6 +83,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -170,6 +171,7 @@ MY_DEFS_Release := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.linux-mips.mk b/net/http_server.target.linux-mips.mk
index b1abe01b59..8c9f4eb719 100644
--- a/net/http_server.target.linux-mips.mk
+++ b/net/http_server.target.linux-mips.mk
@@ -82,6 +82,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -168,6 +169,7 @@ MY_DEFS_Release := \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DPOSIX_AVOID_MMAP' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.linux-x86.mk b/net/http_server.target.linux-x86.mk
index 114ac61c1b..c1ac63a219 100644
--- a/net/http_server.target.linux-x86.mk
+++ b/net/http_server.target.linux-x86.mk
@@ -83,6 +83,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -169,6 +170,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/http_server.target.linux-x86_64.mk b/net/http_server.target.linux-x86_64.mk
new file mode 100644
index 0000000000..6b87e65c70
--- /dev/null
+++ b/net/http_server.target.linux-x86_64.mk
@@ -0,0 +1,269 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := STATIC_LIBRARIES
+LOCAL_MODULE := net_http_server_gyp
+LOCAL_MODULE_SUFFIX := .a
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+GYP_GENERATED_OUTPUTS :=
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_CPP_EXTENSION := .cc
+LOCAL_GENERATED_SOURCES :=
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES := \
+	net/server/http_connection.cc \
+	net/server/http_server.cc \
+	net/server/http_server_request_info.cc \
+	net/server/http_server_response_info.cc \
+	net/server/web_socket.cc
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH) \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH) \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+
+LOCAL_LDFLAGS_Debug := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel \
+	-Wl,-O1 \
+	-Wl,--as-needed
+
+
+LOCAL_LDFLAGS_Release := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,-O1 \
+	-Wl,--as-needed \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel
+
+
+LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION))
+
+LOCAL_STATIC_LIBRARIES :=
+
+# Enable grouping to fix circular references
+LOCAL_GROUP_STATIC_LIBRARIES := true
+
+LOCAL_SHARED_LIBRARIES := \
+	libstlport \
+	libdl
+
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_http_server_gyp
+
+# Alias gyp target name.
+.PHONY: http_server
+http_server: net_http_server_gyp
+
+include $(BUILD_STATIC_LIBRARY)
diff --git a/net/net.gyp b/net/net.gyp
index bd408e2643..28dcd4d7fc 100644
--- a/net/net.gyp
+++ b/net/net.gyp
@@ -136,8 +136,6 @@
         'base/iovec.h',
         'base/ip_endpoint.cc',
         'base/ip_endpoint.h',
-        'base/ip_mapping_rules.cc',
-        'base/ip_mapping_rules.h',
         'base/ip_pattern.cc',
         'base/ip_pattern.h',
         'base/keygen_handler.cc',
@@ -355,6 +353,8 @@
         'disk_cache/blockfile/backend_impl.h',
         'disk_cache/blockfile/backend_impl_v3.cc',
         'disk_cache/blockfile/backend_impl_v3.h',
+        'disk_cache/blockfile/backend_worker_v3.cc',
+        'disk_cache/blockfile/backend_worker_v3.h',
         'disk_cache/blockfile/bitmap.cc',
         'disk_cache/blockfile/bitmap.h',
         'disk_cache/blockfile/block_bitmaps_v3.cc',
@@ -488,8 +488,6 @@
         'dns/host_resolver_proc.h',
         'dns/mapped_host_resolver.cc',
         'dns/mapped_host_resolver.h',
-        'dns/mapped_ip_resolver.cc',
-        'dns/mapped_ip_resolver.h',
         'dns/mdns_cache.cc',
         'dns/mdns_cache.h',
         'dns/mdns_client.cc',
@@ -843,7 +841,7 @@
         'quic/crypto/proof_source.h',
         'quic/crypto/proof_source_chromium.cc',
         'quic/crypto/proof_source_chromium.h',
-        'quic/crypto/proof_verifier.cc',
+        'quic/crypto/proof_verifier.h',
         'quic/crypto/proof_verifier_chromium.cc',
         'quic/crypto/proof_verifier_chromium.h',
         'quic/crypto/quic_crypto_client_config.cc',
@@ -882,6 +880,8 @@
         'quic/quic_blocked_writer_interface.h',
         'quic/quic_client_session.cc',
         'quic/quic_client_session.h',
+        'quic/quic_client_session_base.cc',
+        'quic/quic_client_session_base.h',
         'quic/quic_clock.cc',
         'quic/quic_clock.h',
         'quic/quic_config.cc',
@@ -1124,6 +1124,8 @@
         'ssl/ssl_client_auth_cache.cc',
         'ssl/ssl_client_auth_cache.h',
         'ssl/ssl_client_cert_type.h',
+        'ssl/ssl_config.cc',
+        'ssl/ssl_config.h',
         'ssl/ssl_config_service.cc',
         'ssl/ssl_config_service.h',
         'ssl/ssl_config_service_defaults.cc',
@@ -1409,22 +1411,17 @@
               'third_party/mozilla_security_manager/nsPKCS12Blob.cpp',
               'third_party/mozilla_security_manager/nsPKCS12Blob.h',
             ],
+            'dependencies': [
+              '../third_party/openssl/openssl.gyp:openssl',
+            ],
           },
           {  # else !use_openssl: remove the unneeded files
             'sources!': [
               'base/crypto_module_openssl.cc',
               'base/keygen_handler_openssl.cc',
-              'base/openssl_private_key_store.h',
-              'base/openssl_private_key_store_android.cc',
-              'base/openssl_private_key_store_memory.cc',
-              'cert/cert_database_openssl.cc',
-              'cert/cert_verify_proc_openssl.cc',
-              'cert/cert_verify_proc_openssl.h',
               'cert/ct_log_verifier_openssl.cc',
               'cert/ct_objects_extractor_openssl.cc',
               'cert/jwk_serializer_openssl.cc',
-              'cert/test_root_certs_openssl.cc',
-              'cert/x509_certificate_openssl.cc',
               'cert/x509_util_openssl.cc',
               'cert/x509_util_openssl.h',
               'quic/crypto/aead_base_decrypter_openssl.cc',
@@ -1442,11 +1439,23 @@
               'socket/ssl_server_socket_openssl.cc',
               'socket/ssl_session_cache_openssl.cc',
               'socket/ssl_session_cache_openssl.h',
-              'ssl/openssl_client_key_store.cc',
-              'ssl/openssl_client_key_store.h',
             ],
           },
         ],
+        [ 'use_openssl_certs == 0', {
+            'sources!': [
+              'base/openssl_private_key_store.h',
+              'base/openssl_private_key_store_android.cc',
+              'base/openssl_private_key_store_memory.cc',
+              'cert/cert_database_openssl.cc',
+              'cert/cert_verify_proc_openssl.cc',
+              'cert/cert_verify_proc_openssl.h',
+              'cert/test_root_certs_openssl.cc',
+              'cert/x509_certificate_openssl.cc',
+              'ssl/openssl_client_key_store.cc',
+              'ssl/openssl_client_key_store.h',
+            ],
+        }],
         [ 'use_glib == 1', {
             'dependencies': [
               '../build/linux/system.gyp:gconf',
@@ -1455,12 +1464,8 @@
         }],
         [ 'desktop_linux == 1 or chromeos == 1', {
             'conditions': [
-              ['use_openssl==1', {
-                'dependencies': [
-                  '../third_party/openssl/openssl.gyp:openssl',
-                ],
-              },
-              {  # else use_openssl==0, use NSS
+              ['use_openssl == 0', {
+                 # use NSS
                 'dependencies': [
                   '../build/linux/system.gyp:ssl',
                 ],
@@ -1569,10 +1574,15 @@
           },
         ],
         [ 'OS == "mac"', {
-            'dependencies': [
-              '../third_party/nss/nss.gyp:nspr',
-              '../third_party/nss/nss.gyp:nss',
-              'third_party/nss/ssl.gyp:libssl',
+            'conditions': [
+              [ 'use_openssl == 0', {
+                'dependencies': [
+                  # defaults to nss
+                  '../third_party/nss/nss.gyp:nspr',
+                  '../third_party/nss/nss.gyp:nss',
+                  'third_party/nss/ssl.gyp:libssl',
+                ],
+              }],
             ],
             'link_settings': {
               'libraries': [
@@ -1692,7 +1702,6 @@
         'base/host_mapping_rules_unittest.cc',
         'base/host_port_pair_unittest.cc',
         'base/ip_endpoint_unittest.cc',
-        'base/ip_mapping_rules_unittest.cc',
         'base/ip_pattern_unittest.cc',
         'base/keygen_handler_unittest.cc',
         'base/mime_sniffer_unittest.cc',
@@ -2175,8 +2184,8 @@
         }],
         [ 'OS == "android"', {
           'sources!': [
-            # See bug 344533.
-            'disk_cache/blockfile/index_table_v3unittest.cc',
+            # See bug http://crbug.com/344533.
+            'disk_cache/blockfile/index_table_v3_unittest.cc',
             # No res_ninit() et al on Android, so this doesn't make a lot of
             # sense.
             'dns/dns_config_service_posix_unittest.cc',
@@ -2262,10 +2271,14 @@
               'quic/test_tools/crypto_test_utils_openssl.cc',
               'socket/ssl_client_socket_openssl_unittest.cc',
               'socket/ssl_session_cache_openssl_unittest.cc',
-              'ssl/openssl_client_key_store_unittest.cc',
             ],
           },
         ],
+        [ 'use_openssl_certs == 0', {
+            'sources!': [
+              'ssl/openssl_client_key_store_unittest.cc',
+            ],
+        }],
         [ 'enable_websockets != 1', {
             'sources/': [
               ['exclude', '^socket_stream/'],
@@ -2333,7 +2346,7 @@
             'msvs_disabled_warnings': [4267, ],
           },
         ],
-        [ 'OS == "mac"', {
+        [ 'OS == "mac" and use_openssl == 0', {
             'dependencies': [
               '../third_party/nss/nss.gyp:nspr',
               '../third_party/nss/nss.gyp:nss',
@@ -2382,8 +2395,8 @@
               # OS is not "linux" or "freebsd" or "openbsd".
               'socket/unix_domain_socket_posix_unittest.cc',
 
-              # See bug 344533.
-              'disk_cache/v3/index_table_unittest.cc',
+              # See bug http://crbug.com/344533.
+              'disk_cache/blockfile/index_table_v3_unittest.cc',
             ],
         }],
         [ 'OS == "android"', {
@@ -2742,49 +2755,6 @@
           'msvs_disabled_warnings': [4267, ],
         },
         {
-          'target_name': 'fetch_client',
-          'type': 'executable',
-          'variables': { 'enable_wexit_time_destructors': 1, },
-          'dependencies': [
-            '../base/base.gyp:base',
-            '../base/third_party/dynamic_annotations/dynamic_annotations.gyp:dynamic_annotations',
-            '../testing/gtest.gyp:gtest',
-            '../url/url.gyp:url_lib',
-            'net',
-            'net_with_v8',
-          ],
-          'sources': [
-            'tools/fetch/fetch_client.cc',
-          ],
-          # TODO(jschuh): crbug.com/167187 fix size_t to int truncations.
-          'msvs_disabled_warnings': [4267, ],
-        },
-        {
-          'target_name': 'fetch_server',
-          'type': 'executable',
-          'variables': { 'enable_wexit_time_destructors': 1, },
-          'dependencies': [
-            '../base/base.gyp:base',
-            '../url/url.gyp:url_lib',
-            'net',
-          ],
-          'sources': [
-            'tools/fetch/fetch_server.cc',
-            'tools/fetch/http_listen_socket.cc',
-            'tools/fetch/http_listen_socket.h',
-            'tools/fetch/http_server.cc',
-            'tools/fetch/http_server.h',
-            'tools/fetch/http_server_request_info.cc',
-            'tools/fetch/http_server_request_info.h',
-            'tools/fetch/http_server_response_info.cc',
-            'tools/fetch/http_server_response_info.h',
-            'tools/fetch/http_session.cc',
-            'tools/fetch/http_session.h',
-          ],
-          # TODO(jschuh): crbug.com/167187 fix size_t to int truncations.
-          'msvs_disabled_warnings': [4267, ],
-        },
-        {
           'target_name': 'gdig',
           'type': 'executable',
           'dependencies': [
diff --git a/net/net.target.darwin-arm.mk b/net/net.target.darwin-arm.mk
index 19bb3a027a..eed3235b75 100644
--- a/net/net.target.darwin-arm.mk
+++ b/net/net.target.darwin-arm.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -581,6 +581,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -678,6 +679,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.darwin-mips.mk b/net/net.target.darwin-mips.mk
index 18a34acf72..31da97e641 100644
--- a/net/net.target.darwin-mips.mk
+++ b/net/net.target.darwin-mips.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -580,6 +580,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -676,6 +677,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.darwin-x86.mk b/net/net.target.darwin-x86.mk
index 04a91ae04f..071105f988 100644
--- a/net/net.target.darwin-x86.mk
+++ b/net/net.target.darwin-x86.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -581,6 +581,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -677,6 +678,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.darwin-x86_64.mk b/net/net.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..c05cd6df73
--- /dev/null
+++ b/net/net.target.darwin-x86_64.mk
@@ -0,0 +1,786 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := STATIC_LIBRARIES
+LOCAL_MODULE := net_net_gyp
+LOCAL_MODULE_SUFFIX := .a
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES := \
+	$(call intermediates-dir-for,GYP,third_party_icu_icui18n_gyp)/icui18n.stamp \
+	$(call intermediates-dir-for,GYP,third_party_icu_icuuc_gyp)/icuuc.stamp \
+	$(call intermediates-dir-for,GYP,net_net_resources_gyp)/net_resources.stamp \
+	$(call intermediates-dir-for,GYP,net_net_jni_headers_gyp)/net_jni_headers.stamp
+
+GYP_GENERATED_OUTPUTS :=
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_CPP_EXTENSION := .cc
+LOCAL_GENERATED_SOURCES :=
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES := \
+	net/android/cert_verify_result_android.cc \
+	net/android/gurl_utils.cc \
+	net/android/android_private_key.cc \
+	net/android/keystore.cc \
+	net/android/keystore_openssl.cc \
+	net/android/net_jni_registrar.cc \
+	net/android/network_change_notifier_android.cc \
+	net/android/network_change_notifier_delegate_android.cc \
+	net/android/network_change_notifier_factory_android.cc \
+	net/android/network_library.cc \
+	net/base/address_list.cc \
+	net/base/address_tracker_linux.cc \
+	net/base/auth.cc \
+	net/base/backoff_entry.cc \
+	net/base/bandwidth_metrics.cc \
+	net/base/connection_type_histograms.cc \
+	net/base/crypto_module_openssl.cc \
+	net/base/data_url.cc \
+	net/base/directory_lister.cc \
+	net/base/dns_reloader.cc \
+	net/base/dns_util.cc \
+	net/base/escape.cc \
+	net/base/file_stream.cc \
+	net/base/file_stream_context.cc \
+	net/base/file_stream_context_posix.cc \
+	net/base/file_stream_metrics.cc \
+	net/base/file_stream_metrics_posix.cc \
+	net/base/file_stream_net_log_parameters.cc \
+	net/base/int128.cc \
+	net/base/hash_value.cc \
+	net/base/host_mapping_rules.cc \
+	net/base/host_port_pair.cc \
+	net/base/io_buffer.cc \
+	net/base/ip_endpoint.cc \
+	net/base/ip_pattern.cc \
+	net/base/keygen_handler.cc \
+	net/base/keygen_handler_openssl.cc \
+	net/base/load_timing_info.cc \
+	net/base/mime_sniffer.cc \
+	net/base/mime_util.cc \
+	net/base/net_errors.cc \
+	net/base/net_errors_posix.cc \
+	net/base/net_log.cc \
+	net/base/net_log_logger.cc \
+	net/base/net_module.cc \
+	net/base/net_util.cc \
+	net/base/net_util_posix.cc \
+	net/base/network_change_notifier.cc \
+	net/base/network_delegate.cc \
+	net/base/network_time_notifier.cc \
+	net/base/openssl_private_key_store_android.cc \
+	net/base/platform_mime_util_linux.cc \
+	net/base/prioritized_dispatcher.cc \
+	net/base/registry_controlled_domains/registry_controlled_domain.cc \
+	net/base/request_priority.cc \
+	net/base/sdch_manager.cc \
+	net/base/static_cookie_policy.cc \
+	net/base/test_data_stream.cc \
+	net/base/upload_bytes_element_reader.cc \
+	net/base/upload_data_stream.cc \
+	net/base/upload_element.cc \
+	net/base/upload_element_reader.cc \
+	net/base/upload_file_element_reader.cc \
+	net/base/url_util.cc \
+	net/base/zap.cc \
+	net/cert/asn1_util.cc \
+	net/cert/cert_database.cc \
+	net/cert/cert_database_android.cc \
+	net/cert/cert_status_flags.cc \
+	net/cert/cert_verifier.cc \
+	net/cert/cert_verify_proc.cc \
+	net/cert/cert_verify_proc_android.cc \
+	net/cert/cert_verify_result.cc \
+	net/cert/crl_set.cc \
+	net/cert/ct_known_logs.cc \
+	net/cert/ct_log_verifier.cc \
+	net/cert/ct_log_verifier_openssl.cc \
+	net/cert/ct_objects_extractor_openssl.cc \
+	net/cert/ct_serialization.cc \
+	net/cert/ct_signed_certificate_timestamp_log_param.cc \
+	net/cert/ct_verify_result.cc \
+	net/cert/ev_root_ca_metadata.cc \
+	net/cert/jwk_serializer_openssl.cc \
+	net/cert/multi_log_ct_verifier.cc \
+	net/cert/multi_threaded_cert_verifier.cc \
+	net/cert/pem_tokenizer.cc \
+	net/cert/signed_certificate_timestamp.cc \
+	net/cert/single_request_cert_verifier.cc \
+	net/cert/test_root_certs.cc \
+	net/cert/test_root_certs_android.cc \
+	net/cert/x509_cert_types.cc \
+	net/cert/x509_certificate.cc \
+	net/cert/x509_certificate_net_log_param.cc \
+	net/cert/x509_certificate_openssl.cc \
+	net/cert/x509_util.cc \
+	net/cert/x509_util_android.cc \
+	net/cert/x509_util_openssl.cc \
+	net/cookies/canonical_cookie.cc \
+	net/cookies/cookie_constants.cc \
+	net/cookies/cookie_monster.cc \
+	net/cookies/cookie_store.cc \
+	net/cookies/cookie_util.cc \
+	net/cookies/parsed_cookie.cc \
+	net/disk_cache/blockfile/addr.cc \
+	net/disk_cache/blockfile/backend_impl.cc \
+	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
+	net/disk_cache/blockfile/bitmap.cc \
+	net/disk_cache/blockfile/block_bitmaps_v3.cc \
+	net/disk_cache/blockfile/block_files.cc \
+	net/disk_cache/blockfile/disk_format.cc \
+	net/disk_cache/blockfile/entry_impl.cc \
+	net/disk_cache/blockfile/entry_impl_v3.cc \
+	net/disk_cache/blockfile/eviction.cc \
+	net/disk_cache/blockfile/eviction_v3.cc \
+	net/disk_cache/blockfile/file.cc \
+	net/disk_cache/blockfile/file_lock.cc \
+	net/disk_cache/blockfile/file_posix.cc \
+	net/disk_cache/blockfile/in_flight_backend_io.cc \
+	net/disk_cache/blockfile/in_flight_io.cc \
+	net/disk_cache/blockfile/index_table_v3.cc \
+	net/disk_cache/blockfile/mapped_file.cc \
+	net/disk_cache/blockfile/mapped_file_avoid_mmap_posix.cc \
+	net/disk_cache/blockfile/rankings.cc \
+	net/disk_cache/blockfile/sparse_control.cc \
+	net/disk_cache/blockfile/stats.cc \
+	net/disk_cache/blockfile/stats_histogram.cc \
+	net/disk_cache/blockfile/trace.cc \
+	net/disk_cache/cache_creator.cc \
+	net/disk_cache/cache_util.cc \
+	net/disk_cache/cache_util_posix.cc \
+	net/disk_cache/memory/mem_backend_impl.cc \
+	net/disk_cache/memory/mem_entry_impl.cc \
+	net/disk_cache/memory/mem_rankings.cc \
+	net/disk_cache/net_log_parameters.cc \
+	net/disk_cache/simple/simple_backend_impl.cc \
+	net/disk_cache/simple/simple_entry_format.cc \
+	net/disk_cache/simple/simple_entry_impl.cc \
+	net/disk_cache/simple/simple_entry_operation.cc \
+	net/disk_cache/simple/simple_index.cc \
+	net/disk_cache/simple/simple_index_file.cc \
+	net/disk_cache/simple/simple_index_file_posix.cc \
+	net/disk_cache/simple/simple_net_log_parameters.cc \
+	net/disk_cache/simple/simple_synchronous_entry.cc \
+	net/disk_cache/simple/simple_util.cc \
+	net/disk_cache/simple/simple_version_upgrade.cc \
+	net/disk_cache/tracing/tracing_cache_backend.cc \
+	net/dns/address_sorter_posix.cc \
+	net/dns/dns_client.cc \
+	net/dns/dns_config_service.cc \
+	net/dns/dns_config_service_posix.cc \
+	net/dns/dns_hosts.cc \
+	net/dns/dns_query.cc \
+	net/dns/dns_response.cc \
+	net/dns/dns_session.cc \
+	net/dns/dns_socket_pool.cc \
+	net/dns/dns_transaction.cc \
+	net/dns/host_cache.cc \
+	net/dns/host_resolver.cc \
+	net/dns/host_resolver_impl.cc \
+	net/dns/host_resolver_proc.cc \
+	net/dns/mapped_host_resolver.cc \
+	net/dns/serial_worker.cc \
+	net/dns/single_request_host_resolver.cc \
+	net/filter/filter.cc \
+	net/filter/gzip_filter.cc \
+	net/filter/gzip_header.cc \
+	net/filter/sdch_filter.cc \
+	net/ftp/ftp_auth_cache.cc \
+	net/ftp/ftp_ctrl_response_buffer.cc \
+	net/ftp/ftp_directory_listing_parser.cc \
+	net/ftp/ftp_directory_listing_parser_ls.cc \
+	net/ftp/ftp_directory_listing_parser_netware.cc \
+	net/ftp/ftp_directory_listing_parser_os2.cc \
+	net/ftp/ftp_directory_listing_parser_vms.cc \
+	net/ftp/ftp_directory_listing_parser_windows.cc \
+	net/ftp/ftp_network_layer.cc \
+	net/ftp/ftp_network_session.cc \
+	net/ftp/ftp_network_transaction.cc \
+	net/ftp/ftp_response_info.cc \
+	net/ftp/ftp_server_type_histograms.cc \
+	net/ftp/ftp_util.cc \
+	net/http/des.cc \
+	net/http/disk_cache_based_quic_server_info.cc \
+	net/http/failing_http_transaction_factory.cc \
+	net/http/http_auth.cc \
+	net/http/http_auth_cache.cc \
+	net/http/http_auth_challenge_tokenizer.cc \
+	net/http/http_auth_controller.cc \
+	net/http/http_auth_filter.cc \
+	net/http/http_auth_handler.cc \
+	net/http/http_auth_handler_basic.cc \
+	net/http/http_auth_handler_digest.cc \
+	net/http/http_auth_handler_factory.cc \
+	net/http/http_auth_handler_ntlm.cc \
+	net/http/http_auth_handler_ntlm_portable.cc \
+	net/http/http_basic_state.cc \
+	net/http/http_basic_stream.cc \
+	net/http/http_byte_range.cc \
+	net/http/http_cache.cc \
+	net/http/http_cache_transaction.cc \
+	net/http/http_content_disposition.cc \
+	net/http/http_chunked_decoder.cc \
+	net/http/http_log_util.cc \
+	net/http/http_network_layer.cc \
+	net/http/http_network_session.cc \
+	net/http/http_network_session_peer.cc \
+	net/http/http_network_transaction.cc \
+	net/http/http_pipelined_connection_impl.cc \
+	net/http/http_pipelined_host.cc \
+	net/http/http_pipelined_host_forced.cc \
+	net/http/http_pipelined_host_impl.cc \
+	net/http/http_pipelined_host_pool.cc \
+	net/http/http_pipelined_stream.cc \
+	net/http/http_proxy_client_socket.cc \
+	net/http/http_proxy_client_socket_pool.cc \
+	net/http/http_request_headers.cc \
+	net/http/http_request_info.cc \
+	net/http/http_response_body_drainer.cc \
+	net/http/http_response_headers.cc \
+	net/http/http_response_info.cc \
+	net/http/http_security_headers.cc \
+	net/http/http_server_properties.cc \
+	net/http/http_server_properties_impl.cc \
+	net/http/http_status_code.cc \
+	net/http/http_stream_factory.cc \
+	net/http/http_stream_factory_impl.cc \
+	net/http/http_stream_factory_impl_job.cc \
+	net/http/http_stream_factory_impl_request.cc \
+	net/http/http_stream_parser.cc \
+	net/http/http_util.cc \
+	net/http/http_util_icu.cc \
+	net/http/http_vary_data.cc \
+	net/http/md4.cc \
+	net/http/partial_data.cc \
+	net/http/proxy_client_socket.cc \
+	net/http/proxy_connect_redirect_http_stream.cc \
+	net/http/transport_security_persister.cc \
+	net/http/transport_security_state.cc \
+	net/http/url_security_manager.cc \
+	net/http/url_security_manager_posix.cc \
+	net/proxy/dhcp_proxy_script_fetcher.cc \
+	net/proxy/dhcp_proxy_script_fetcher_factory.cc \
+	net/proxy/multi_threaded_proxy_resolver.cc \
+	net/proxy/network_delegate_error_observer.cc \
+	net/proxy/polling_proxy_config_service.cc \
+	net/proxy/proxy_bypass_rules.cc \
+	net/proxy/proxy_config.cc \
+	net/proxy/proxy_config_service_android.cc \
+	net/proxy/proxy_config_service_fixed.cc \
+	net/proxy/proxy_config_source.cc \
+	net/proxy/proxy_info.cc \
+	net/proxy/proxy_list.cc \
+	net/proxy/proxy_resolver_script_data.cc \
+	net/proxy/proxy_script_decider.cc \
+	net/proxy/proxy_script_fetcher_impl.cc \
+	net/proxy/proxy_server.cc \
+	net/proxy/proxy_service.cc \
+	net/quic/congestion_control/available_channel_estimator.cc \
+	net/quic/congestion_control/channel_estimator.cc \
+	net/quic/congestion_control/cube_root.cc \
+	net/quic/congestion_control/cubic.cc \
+	net/quic/congestion_control/fix_rate_receiver.cc \
+	net/quic/congestion_control/fix_rate_sender.cc \
+	net/quic/congestion_control/hybrid_slow_start.cc \
+	net/quic/congestion_control/inter_arrival_bitrate_ramp_up.cc \
+	net/quic/congestion_control/inter_arrival_overuse_detector.cc \
+	net/quic/congestion_control/inter_arrival_probe.cc \
+	net/quic/congestion_control/inter_arrival_receiver.cc \
+	net/quic/congestion_control/inter_arrival_sender.cc \
+	net/quic/congestion_control/inter_arrival_state_machine.cc \
+	net/quic/congestion_control/leaky_bucket.cc \
+	net/quic/congestion_control/loss_detection_interface.cc \
+	net/quic/congestion_control/paced_sender.cc \
+	net/quic/congestion_control/pacing_sender.cc \
+	net/quic/congestion_control/receive_algorithm_interface.cc \
+	net/quic/congestion_control/rtt_stats.cc \
+	net/quic/congestion_control/send_algorithm_interface.cc \
+	net/quic/congestion_control/tcp_cubic_sender.cc \
+	net/quic/congestion_control/tcp_loss_algorithm.cc \
+	net/quic/congestion_control/tcp_receiver.cc \
+	net/quic/congestion_control/time_loss_algorithm.cc \
+	net/quic/crypto/aead_base_decrypter_openssl.cc \
+	net/quic/crypto/aead_base_encrypter_openssl.cc \
+	net/quic/crypto/aes_128_gcm_12_decrypter_openssl.cc \
+	net/quic/crypto/aes_128_gcm_12_encrypter_openssl.cc \
+	net/quic/crypto/cert_compressor.cc \
+	net/quic/crypto/chacha20_poly1305_decrypter_openssl.cc \
+	net/quic/crypto/chacha20_poly1305_encrypter_openssl.cc \
+	net/quic/crypto/channel_id.cc \
+	net/quic/crypto/channel_id_openssl.cc \
+	net/quic/crypto/common_cert_set.cc \
+	net/quic/crypto/crypto_framer.cc \
+	net/quic/crypto/crypto_handshake.cc \
+	net/quic/crypto/crypto_handshake_message.cc \
+	net/quic/crypto/crypto_secret_boxer.cc \
+	net/quic/crypto/crypto_server_config_protobuf.cc \
+	net/quic/crypto/crypto_utils.cc \
+	net/quic/crypto/curve25519_key_exchange.cc \
+	net/quic/crypto/local_strike_register_client.cc \
+	net/quic/crypto/null_decrypter.cc \
+	net/quic/crypto/null_encrypter.cc \
+	net/quic/crypto/p256_key_exchange_openssl.cc \
+	net/quic/crypto/proof_source_chromium.cc \
+	net/quic/crypto/proof_verifier_chromium.cc \
+	net/quic/crypto/quic_crypto_client_config.cc \
+	net/quic/crypto/quic_crypto_server_config.cc \
+	net/quic/crypto/quic_decrypter.cc \
+	net/quic/crypto/quic_encrypter.cc \
+	net/quic/crypto/quic_random.cc \
+	net/quic/crypto/quic_server_info.cc \
+	net/quic/crypto/scoped_evp_aead_ctx.cc \
+	net/quic/crypto/strike_register.cc \
+	net/quic/crypto/source_address_token.cc \
+	net/quic/iovector.cc \
+	net/quic/port_suggester.cc \
+	net/quic/quic_ack_notifier.cc \
+	net/quic/quic_ack_notifier_manager.cc \
+	net/quic/quic_address_mismatch.cc \
+	net/quic/quic_alarm.cc \
+	net/quic/quic_bandwidth.cc \
+	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
+	net/quic/quic_clock.cc \
+	net/quic/quic_config.cc \
+	net/quic/quic_connection.cc \
+	net/quic/quic_connection_helper.cc \
+	net/quic/quic_connection_logger.cc \
+	net/quic/quic_connection_stats.cc \
+	net/quic/quic_crypto_client_stream.cc \
+	net/quic/quic_crypto_server_stream.cc \
+	net/quic/quic_crypto_stream.cc \
+	net/quic/quic_data_reader.cc \
+	net/quic/quic_data_stream.cc \
+	net/quic/quic_data_writer.cc \
+	net/quic/quic_default_packet_writer.cc \
+	net/quic/quic_fec_group.cc \
+	net/quic/quic_framer.cc \
+	net/quic/quic_headers_stream.cc \
+	net/quic/quic_http_stream.cc \
+	net/quic/quic_http_utils.cc \
+	net/quic/quic_packet_creator.cc \
+	net/quic/quic_packet_generator.cc \
+	net/quic/quic_protocol.cc \
+	net/quic/quic_received_packet_manager.cc \
+	net/quic/quic_reliable_client_stream.cc \
+	net/quic/quic_sent_entropy_manager.cc \
+	net/quic/quic_sent_packet_manager.cc \
+	net/quic/quic_session.cc \
+	net/quic/quic_session_key.cc \
+	net/quic/quic_socket_address_coder.cc \
+	net/quic/quic_stream_factory.cc \
+	net/quic/quic_stream_sequencer.cc \
+	net/quic/quic_time.cc \
+	net/quic/quic_unacked_packet_map.cc \
+	net/quic/quic_utils.cc \
+	net/quic/quic_write_blocked_list.cc \
+	net/quic/reliable_quic_stream.cc \
+	net/quic/spdy_utils.cc \
+	net/socket/buffered_write_stream_socket.cc \
+	net/socket/client_socket_factory.cc \
+	net/socket/client_socket_handle.cc \
+	net/socket/client_socket_pool.cc \
+	net/socket/client_socket_pool_base.cc \
+	net/socket/client_socket_pool_histograms.cc \
+	net/socket/client_socket_pool_manager.cc \
+	net/socket/client_socket_pool_manager_impl.cc \
+	net/socket/socket_descriptor.cc \
+	net/socket/socket_net_log_params.cc \
+	net/socket/socks5_client_socket.cc \
+	net/socket/socks_client_socket.cc \
+	net/socket/socks_client_socket_pool.cc \
+	net/socket/ssl_client_socket.cc \
+	net/socket/ssl_client_socket_openssl.cc \
+	net/socket/ssl_client_socket_pool.cc \
+	net/socket/ssl_error_params.cc \
+	net/socket/ssl_server_socket_openssl.cc \
+	net/socket/ssl_session_cache_openssl.cc \
+	net/socket/stream_listen_socket.cc \
+	net/socket/stream_socket.cc \
+	net/socket/tcp_client_socket.cc \
+	net/socket/tcp_listen_socket.cc \
+	net/socket/tcp_server_socket.cc \
+	net/socket/tcp_socket.cc \
+	net/socket/tcp_socket_libevent.cc \
+	net/socket/transport_client_socket_pool.cc \
+	net/socket/unix_domain_socket_posix.cc \
+	net/socket_stream/socket_stream.cc \
+	net/socket_stream/socket_stream_job.cc \
+	net/socket_stream/socket_stream_job_manager.cc \
+	net/socket_stream/socket_stream_metrics.cc \
+	net/spdy/buffered_spdy_framer.cc \
+	net/spdy/hpack_constants.cc \
+	net/spdy/hpack_decoder.cc \
+	net/spdy/hpack_encoder.cc \
+	net/spdy/hpack_encoding_context.cc \
+	net/spdy/hpack_entry.cc \
+	net/spdy/hpack_header_table.cc \
+	net/spdy/hpack_huffman_table.cc \
+	net/spdy/hpack_input_stream.cc \
+	net/spdy/hpack_output_stream.cc \
+	net/spdy/hpack_string_util.cc \
+	net/spdy/spdy_buffer.cc \
+	net/spdy/spdy_buffer_producer.cc \
+	net/spdy/spdy_frame_builder.cc \
+	net/spdy/spdy_frame_reader.cc \
+	net/spdy/spdy_framer.cc \
+	net/spdy/spdy_header_block.cc \
+	net/spdy/spdy_headers_block_parser.cc \
+	net/spdy/spdy_http_stream.cc \
+	net/spdy/spdy_http_utils.cc \
+	net/spdy/spdy_pinnable_buffer_piece.cc \
+	net/spdy/spdy_prefixed_buffer_reader.cc \
+	net/spdy/spdy_protocol.cc \
+	net/spdy/spdy_proxy_client_socket.cc \
+	net/spdy/spdy_read_queue.cc \
+	net/spdy/spdy_session.cc \
+	net/spdy/spdy_session_key.cc \
+	net/spdy/spdy_session_pool.cc \
+	net/spdy/spdy_stream.cc \
+	net/spdy/spdy_websocket_stream.cc \
+	net/spdy/spdy_write_queue.cc \
+	net/ssl/default_server_bound_cert_store.cc \
+	net/ssl/openssl_client_key_store.cc \
+	net/ssl/server_bound_cert_service.cc \
+	net/ssl/server_bound_cert_store.cc \
+	net/ssl/signed_certificate_timestamp_and_status.cc \
+	net/ssl/ssl_cert_request_info.cc \
+	net/ssl/ssl_cipher_suite_names.cc \
+	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
+	net/ssl/ssl_config_service.cc \
+	net/ssl/ssl_config_service_defaults.cc \
+	net/ssl/ssl_info.cc \
+	net/udp/udp_client_socket.cc \
+	net/udp/udp_net_log_parameters.cc \
+	net/udp/udp_server_socket.cc \
+	net/udp/udp_socket_libevent.cc \
+	net/url_request/data_protocol_handler.cc \
+	net/url_request/file_protocol_handler.cc \
+	net/url_request/ftp_protocol_handler.cc \
+	net/url_request/protocol_intercept_job_factory.cc \
+	net/url_request/static_http_user_agent_settings.cc \
+	net/url_request/url_fetcher.cc \
+	net/url_request/url_fetcher_core.cc \
+	net/url_request/url_fetcher_delegate.cc \
+	net/url_request/url_fetcher_impl.cc \
+	net/url_request/url_fetcher_response_writer.cc \
+	net/url_request/url_range_request_job.cc \
+	net/url_request/url_request.cc \
+	net/url_request/url_request_about_job.cc \
+	net/url_request/url_request_context.cc \
+	net/url_request/url_request_context_builder.cc \
+	net/url_request/url_request_context_getter.cc \
+	net/url_request/url_request_context_storage.cc \
+	net/url_request/url_request_data_job.cc \
+	net/url_request/url_request_error_job.cc \
+	net/url_request/url_request_file_dir_job.cc \
+	net/url_request/url_request_file_job.cc \
+	net/url_request/url_request_filter.cc \
+	net/url_request/url_request_ftp_job.cc \
+	net/url_request/url_request_http_job.cc \
+	net/url_request/url_request_job.cc \
+	net/url_request/url_request_job_factory.cc \
+	net/url_request/url_request_job_factory_impl.cc \
+	net/url_request/url_request_job_manager.cc \
+	net/url_request/url_request_netlog_params.cc \
+	net/url_request/url_request_redirect_job.cc \
+	net/url_request/url_request_simple_job.cc \
+	net/url_request/url_request_test_job.cc \
+	net/url_request/url_request_throttler_entry.cc \
+	net/url_request/url_request_throttler_header_adapter.cc \
+	net/url_request/url_request_throttler_manager.cc \
+	net/url_request/view_cache_helper.cc \
+	net/url_request/websocket_handshake_userdata_key.cc \
+	net/websockets/websocket_basic_handshake_stream.cc \
+	net/websockets/websocket_basic_stream.cc \
+	net/websockets/websocket_channel.cc \
+	net/websockets/websocket_deflate_predictor_impl.cc \
+	net/websockets/websocket_deflate_stream.cc \
+	net/websockets/websocket_deflater.cc \
+	net/websockets/websocket_errors.cc \
+	net/websockets/websocket_extension.cc \
+	net/websockets/websocket_extension_parser.cc \
+	net/websockets/websocket_frame.cc \
+	net/websockets/websocket_frame_parser.cc \
+	net/websockets/websocket_handshake_constants.cc \
+	net/websockets/websocket_handshake_handler.cc \
+	net/websockets/websocket_handshake_request_info.cc \
+	net/websockets/websocket_handshake_response_info.cc \
+	net/websockets/websocket_handshake_stream_create_helper.cc \
+	net/websockets/websocket_inflater.cc \
+	net/websockets/websocket_job.cc \
+	net/websockets/websocket_net_log_params.cc \
+	net/websockets/websocket_stream.cc \
+	net/websockets/websocket_throttle.cc
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DNET_IMPLEMENTATION' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DENABLE_BUILT_IN_DNS' \
+	'-DU_USING_ICU_NAMESPACE=0' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH)/third_party/openssl \
+	$(LOCAL_PATH) \
+	$(LOCAL_PATH)/sdch/open-vcdiff/src \
+	$(PWD)/external/icu4c/common \
+	$(PWD)/external/icu4c/i18n \
+	$(LOCAL_PATH)/third_party/zlib \
+	$(gyp_shared_intermediate_dir)/net \
+	$(LOCAL_PATH)/third_party/openssl/config/x64 \
+	$(LOCAL_PATH)/third_party/openssl/openssl/include \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DNET_IMPLEMENTATION' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DENABLE_BUILT_IN_DNS' \
+	'-DU_USING_ICU_NAMESPACE=0' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH)/third_party/openssl \
+	$(LOCAL_PATH) \
+	$(LOCAL_PATH)/sdch/open-vcdiff/src \
+	$(PWD)/external/icu4c/common \
+	$(PWD)/external/icu4c/i18n \
+	$(LOCAL_PATH)/third_party/zlib \
+	$(gyp_shared_intermediate_dir)/net \
+	$(LOCAL_PATH)/third_party/openssl/config/x64 \
+	$(LOCAL_PATH)/third_party/openssl/openssl/include \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+
+LOCAL_LDFLAGS_Debug := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel \
+	-Wl,-O1 \
+	-Wl,--as-needed
+
+
+LOCAL_LDFLAGS_Release := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,-O1 \
+	-Wl,--as-needed \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel
+
+
+LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION))
+
+LOCAL_STATIC_LIBRARIES :=
+
+# Enable grouping to fix circular references
+LOCAL_GROUP_STATIC_LIBRARIES := true
+
+LOCAL_SHARED_LIBRARIES := \
+	libstlport \
+	libdl
+
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_gyp
+
+# Alias gyp target name.
+.PHONY: net
+net: net_net_gyp
+
+include $(BUILD_STATIC_LIBRARY)
diff --git a/net/net.target.linux-arm.mk b/net/net.target.linux-arm.mk
index 19bb3a027a..eed3235b75 100644
--- a/net/net.target.linux-arm.mk
+++ b/net/net.target.linux-arm.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -581,6 +581,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -678,6 +679,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.linux-mips.mk b/net/net.target.linux-mips.mk
index 18a34acf72..31da97e641 100644
--- a/net/net.target.linux-mips.mk
+++ b/net/net.target.linux-mips.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -580,6 +580,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -676,6 +677,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.linux-x86.mk b/net/net.target.linux-x86.mk
index 04a91ae04f..071105f988 100644
--- a/net/net.target.linux-x86.mk
+++ b/net/net.target.linux-x86.mk
@@ -61,7 +61,6 @@ LOCAL_SRC_FILES := \
 	net/base/host_port_pair.cc \
 	net/base/io_buffer.cc \
 	net/base/ip_endpoint.cc \
-	net/base/ip_mapping_rules.cc \
 	net/base/ip_pattern.cc \
 	net/base/keygen_handler.cc \
 	net/base/keygen_handler_openssl.cc \
@@ -134,6 +133,7 @@ LOCAL_SRC_FILES := \
 	net/disk_cache/blockfile/addr.cc \
 	net/disk_cache/blockfile/backend_impl.cc \
 	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
 	net/disk_cache/blockfile/bitmap.cc \
 	net/disk_cache/blockfile/block_bitmaps_v3.cc \
 	net/disk_cache/blockfile/block_files.cc \
@@ -189,7 +189,6 @@ LOCAL_SRC_FILES := \
 	net/dns/host_resolver_impl.cc \
 	net/dns/host_resolver_proc.cc \
 	net/dns/mapped_host_resolver.cc \
-	net/dns/mapped_ip_resolver.cc \
 	net/dns/serial_worker.cc \
 	net/dns/single_request_host_resolver.cc \
 	net/filter/filter.cc \
@@ -332,7 +331,6 @@ LOCAL_SRC_FILES := \
 	net/quic/crypto/null_encrypter.cc \
 	net/quic/crypto/p256_key_exchange_openssl.cc \
 	net/quic/crypto/proof_source_chromium.cc \
-	net/quic/crypto/proof_verifier.cc \
 	net/quic/crypto/proof_verifier_chromium.cc \
 	net/quic/crypto/quic_crypto_client_config.cc \
 	net/quic/crypto/quic_crypto_server_config.cc \
@@ -351,6 +349,7 @@ LOCAL_SRC_FILES := \
 	net/quic/quic_alarm.cc \
 	net/quic/quic_bandwidth.cc \
 	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
 	net/quic/quic_clock.cc \
 	net/quic/quic_config.cc \
 	net/quic/quic_connection.cc \
@@ -458,6 +457,7 @@ LOCAL_SRC_FILES := \
 	net/ssl/ssl_cert_request_info.cc \
 	net/ssl/ssl_cipher_suite_names.cc \
 	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
 	net/ssl/ssl_config_service.cc \
 	net/ssl/ssl_config_service_defaults.cc \
 	net/ssl/ssl_info.cc \
@@ -581,6 +581,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -677,6 +678,7 @@ MY_DEFS_Release := \
 	'-DENABLE_BUILT_IN_DNS' \
 	'-DU_USING_ICU_NAMESPACE=0' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net.target.linux-x86_64.mk b/net/net.target.linux-x86_64.mk
new file mode 100644
index 0000000000..c05cd6df73
--- /dev/null
+++ b/net/net.target.linux-x86_64.mk
@@ -0,0 +1,786 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := STATIC_LIBRARIES
+LOCAL_MODULE := net_net_gyp
+LOCAL_MODULE_SUFFIX := .a
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES := \
+	$(call intermediates-dir-for,GYP,third_party_icu_icui18n_gyp)/icui18n.stamp \
+	$(call intermediates-dir-for,GYP,third_party_icu_icuuc_gyp)/icuuc.stamp \
+	$(call intermediates-dir-for,GYP,net_net_resources_gyp)/net_resources.stamp \
+	$(call intermediates-dir-for,GYP,net_net_jni_headers_gyp)/net_jni_headers.stamp
+
+GYP_GENERATED_OUTPUTS :=
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_CPP_EXTENSION := .cc
+LOCAL_GENERATED_SOURCES :=
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES := \
+	net/android/cert_verify_result_android.cc \
+	net/android/gurl_utils.cc \
+	net/android/android_private_key.cc \
+	net/android/keystore.cc \
+	net/android/keystore_openssl.cc \
+	net/android/net_jni_registrar.cc \
+	net/android/network_change_notifier_android.cc \
+	net/android/network_change_notifier_delegate_android.cc \
+	net/android/network_change_notifier_factory_android.cc \
+	net/android/network_library.cc \
+	net/base/address_list.cc \
+	net/base/address_tracker_linux.cc \
+	net/base/auth.cc \
+	net/base/backoff_entry.cc \
+	net/base/bandwidth_metrics.cc \
+	net/base/connection_type_histograms.cc \
+	net/base/crypto_module_openssl.cc \
+	net/base/data_url.cc \
+	net/base/directory_lister.cc \
+	net/base/dns_reloader.cc \
+	net/base/dns_util.cc \
+	net/base/escape.cc \
+	net/base/file_stream.cc \
+	net/base/file_stream_context.cc \
+	net/base/file_stream_context_posix.cc \
+	net/base/file_stream_metrics.cc \
+	net/base/file_stream_metrics_posix.cc \
+	net/base/file_stream_net_log_parameters.cc \
+	net/base/int128.cc \
+	net/base/hash_value.cc \
+	net/base/host_mapping_rules.cc \
+	net/base/host_port_pair.cc \
+	net/base/io_buffer.cc \
+	net/base/ip_endpoint.cc \
+	net/base/ip_pattern.cc \
+	net/base/keygen_handler.cc \
+	net/base/keygen_handler_openssl.cc \
+	net/base/load_timing_info.cc \
+	net/base/mime_sniffer.cc \
+	net/base/mime_util.cc \
+	net/base/net_errors.cc \
+	net/base/net_errors_posix.cc \
+	net/base/net_log.cc \
+	net/base/net_log_logger.cc \
+	net/base/net_module.cc \
+	net/base/net_util.cc \
+	net/base/net_util_posix.cc \
+	net/base/network_change_notifier.cc \
+	net/base/network_delegate.cc \
+	net/base/network_time_notifier.cc \
+	net/base/openssl_private_key_store_android.cc \
+	net/base/platform_mime_util_linux.cc \
+	net/base/prioritized_dispatcher.cc \
+	net/base/registry_controlled_domains/registry_controlled_domain.cc \
+	net/base/request_priority.cc \
+	net/base/sdch_manager.cc \
+	net/base/static_cookie_policy.cc \
+	net/base/test_data_stream.cc \
+	net/base/upload_bytes_element_reader.cc \
+	net/base/upload_data_stream.cc \
+	net/base/upload_element.cc \
+	net/base/upload_element_reader.cc \
+	net/base/upload_file_element_reader.cc \
+	net/base/url_util.cc \
+	net/base/zap.cc \
+	net/cert/asn1_util.cc \
+	net/cert/cert_database.cc \
+	net/cert/cert_database_android.cc \
+	net/cert/cert_status_flags.cc \
+	net/cert/cert_verifier.cc \
+	net/cert/cert_verify_proc.cc \
+	net/cert/cert_verify_proc_android.cc \
+	net/cert/cert_verify_result.cc \
+	net/cert/crl_set.cc \
+	net/cert/ct_known_logs.cc \
+	net/cert/ct_log_verifier.cc \
+	net/cert/ct_log_verifier_openssl.cc \
+	net/cert/ct_objects_extractor_openssl.cc \
+	net/cert/ct_serialization.cc \
+	net/cert/ct_signed_certificate_timestamp_log_param.cc \
+	net/cert/ct_verify_result.cc \
+	net/cert/ev_root_ca_metadata.cc \
+	net/cert/jwk_serializer_openssl.cc \
+	net/cert/multi_log_ct_verifier.cc \
+	net/cert/multi_threaded_cert_verifier.cc \
+	net/cert/pem_tokenizer.cc \
+	net/cert/signed_certificate_timestamp.cc \
+	net/cert/single_request_cert_verifier.cc \
+	net/cert/test_root_certs.cc \
+	net/cert/test_root_certs_android.cc \
+	net/cert/x509_cert_types.cc \
+	net/cert/x509_certificate.cc \
+	net/cert/x509_certificate_net_log_param.cc \
+	net/cert/x509_certificate_openssl.cc \
+	net/cert/x509_util.cc \
+	net/cert/x509_util_android.cc \
+	net/cert/x509_util_openssl.cc \
+	net/cookies/canonical_cookie.cc \
+	net/cookies/cookie_constants.cc \
+	net/cookies/cookie_monster.cc \
+	net/cookies/cookie_store.cc \
+	net/cookies/cookie_util.cc \
+	net/cookies/parsed_cookie.cc \
+	net/disk_cache/blockfile/addr.cc \
+	net/disk_cache/blockfile/backend_impl.cc \
+	net/disk_cache/blockfile/backend_impl_v3.cc \
+	net/disk_cache/blockfile/backend_worker_v3.cc \
+	net/disk_cache/blockfile/bitmap.cc \
+	net/disk_cache/blockfile/block_bitmaps_v3.cc \
+	net/disk_cache/blockfile/block_files.cc \
+	net/disk_cache/blockfile/disk_format.cc \
+	net/disk_cache/blockfile/entry_impl.cc \
+	net/disk_cache/blockfile/entry_impl_v3.cc \
+	net/disk_cache/blockfile/eviction.cc \
+	net/disk_cache/blockfile/eviction_v3.cc \
+	net/disk_cache/blockfile/file.cc \
+	net/disk_cache/blockfile/file_lock.cc \
+	net/disk_cache/blockfile/file_posix.cc \
+	net/disk_cache/blockfile/in_flight_backend_io.cc \
+	net/disk_cache/blockfile/in_flight_io.cc \
+	net/disk_cache/blockfile/index_table_v3.cc \
+	net/disk_cache/blockfile/mapped_file.cc \
+	net/disk_cache/blockfile/mapped_file_avoid_mmap_posix.cc \
+	net/disk_cache/blockfile/rankings.cc \
+	net/disk_cache/blockfile/sparse_control.cc \
+	net/disk_cache/blockfile/stats.cc \
+	net/disk_cache/blockfile/stats_histogram.cc \
+	net/disk_cache/blockfile/trace.cc \
+	net/disk_cache/cache_creator.cc \
+	net/disk_cache/cache_util.cc \
+	net/disk_cache/cache_util_posix.cc \
+	net/disk_cache/memory/mem_backend_impl.cc \
+	net/disk_cache/memory/mem_entry_impl.cc \
+	net/disk_cache/memory/mem_rankings.cc \
+	net/disk_cache/net_log_parameters.cc \
+	net/disk_cache/simple/simple_backend_impl.cc \
+	net/disk_cache/simple/simple_entry_format.cc \
+	net/disk_cache/simple/simple_entry_impl.cc \
+	net/disk_cache/simple/simple_entry_operation.cc \
+	net/disk_cache/simple/simple_index.cc \
+	net/disk_cache/simple/simple_index_file.cc \
+	net/disk_cache/simple/simple_index_file_posix.cc \
+	net/disk_cache/simple/simple_net_log_parameters.cc \
+	net/disk_cache/simple/simple_synchronous_entry.cc \
+	net/disk_cache/simple/simple_util.cc \
+	net/disk_cache/simple/simple_version_upgrade.cc \
+	net/disk_cache/tracing/tracing_cache_backend.cc \
+	net/dns/address_sorter_posix.cc \
+	net/dns/dns_client.cc \
+	net/dns/dns_config_service.cc \
+	net/dns/dns_config_service_posix.cc \
+	net/dns/dns_hosts.cc \
+	net/dns/dns_query.cc \
+	net/dns/dns_response.cc \
+	net/dns/dns_session.cc \
+	net/dns/dns_socket_pool.cc \
+	net/dns/dns_transaction.cc \
+	net/dns/host_cache.cc \
+	net/dns/host_resolver.cc \
+	net/dns/host_resolver_impl.cc \
+	net/dns/host_resolver_proc.cc \
+	net/dns/mapped_host_resolver.cc \
+	net/dns/serial_worker.cc \
+	net/dns/single_request_host_resolver.cc \
+	net/filter/filter.cc \
+	net/filter/gzip_filter.cc \
+	net/filter/gzip_header.cc \
+	net/filter/sdch_filter.cc \
+	net/ftp/ftp_auth_cache.cc \
+	net/ftp/ftp_ctrl_response_buffer.cc \
+	net/ftp/ftp_directory_listing_parser.cc \
+	net/ftp/ftp_directory_listing_parser_ls.cc \
+	net/ftp/ftp_directory_listing_parser_netware.cc \
+	net/ftp/ftp_directory_listing_parser_os2.cc \
+	net/ftp/ftp_directory_listing_parser_vms.cc \
+	net/ftp/ftp_directory_listing_parser_windows.cc \
+	net/ftp/ftp_network_layer.cc \
+	net/ftp/ftp_network_session.cc \
+	net/ftp/ftp_network_transaction.cc \
+	net/ftp/ftp_response_info.cc \
+	net/ftp/ftp_server_type_histograms.cc \
+	net/ftp/ftp_util.cc \
+	net/http/des.cc \
+	net/http/disk_cache_based_quic_server_info.cc \
+	net/http/failing_http_transaction_factory.cc \
+	net/http/http_auth.cc \
+	net/http/http_auth_cache.cc \
+	net/http/http_auth_challenge_tokenizer.cc \
+	net/http/http_auth_controller.cc \
+	net/http/http_auth_filter.cc \
+	net/http/http_auth_handler.cc \
+	net/http/http_auth_handler_basic.cc \
+	net/http/http_auth_handler_digest.cc \
+	net/http/http_auth_handler_factory.cc \
+	net/http/http_auth_handler_ntlm.cc \
+	net/http/http_auth_handler_ntlm_portable.cc \
+	net/http/http_basic_state.cc \
+	net/http/http_basic_stream.cc \
+	net/http/http_byte_range.cc \
+	net/http/http_cache.cc \
+	net/http/http_cache_transaction.cc \
+	net/http/http_content_disposition.cc \
+	net/http/http_chunked_decoder.cc \
+	net/http/http_log_util.cc \
+	net/http/http_network_layer.cc \
+	net/http/http_network_session.cc \
+	net/http/http_network_session_peer.cc \
+	net/http/http_network_transaction.cc \
+	net/http/http_pipelined_connection_impl.cc \
+	net/http/http_pipelined_host.cc \
+	net/http/http_pipelined_host_forced.cc \
+	net/http/http_pipelined_host_impl.cc \
+	net/http/http_pipelined_host_pool.cc \
+	net/http/http_pipelined_stream.cc \
+	net/http/http_proxy_client_socket.cc \
+	net/http/http_proxy_client_socket_pool.cc \
+	net/http/http_request_headers.cc \
+	net/http/http_request_info.cc \
+	net/http/http_response_body_drainer.cc \
+	net/http/http_response_headers.cc \
+	net/http/http_response_info.cc \
+	net/http/http_security_headers.cc \
+	net/http/http_server_properties.cc \
+	net/http/http_server_properties_impl.cc \
+	net/http/http_status_code.cc \
+	net/http/http_stream_factory.cc \
+	net/http/http_stream_factory_impl.cc \
+	net/http/http_stream_factory_impl_job.cc \
+	net/http/http_stream_factory_impl_request.cc \
+	net/http/http_stream_parser.cc \
+	net/http/http_util.cc \
+	net/http/http_util_icu.cc \
+	net/http/http_vary_data.cc \
+	net/http/md4.cc \
+	net/http/partial_data.cc \
+	net/http/proxy_client_socket.cc \
+	net/http/proxy_connect_redirect_http_stream.cc \
+	net/http/transport_security_persister.cc \
+	net/http/transport_security_state.cc \
+	net/http/url_security_manager.cc \
+	net/http/url_security_manager_posix.cc \
+	net/proxy/dhcp_proxy_script_fetcher.cc \
+	net/proxy/dhcp_proxy_script_fetcher_factory.cc \
+	net/proxy/multi_threaded_proxy_resolver.cc \
+	net/proxy/network_delegate_error_observer.cc \
+	net/proxy/polling_proxy_config_service.cc \
+	net/proxy/proxy_bypass_rules.cc \
+	net/proxy/proxy_config.cc \
+	net/proxy/proxy_config_service_android.cc \
+	net/proxy/proxy_config_service_fixed.cc \
+	net/proxy/proxy_config_source.cc \
+	net/proxy/proxy_info.cc \
+	net/proxy/proxy_list.cc \
+	net/proxy/proxy_resolver_script_data.cc \
+	net/proxy/proxy_script_decider.cc \
+	net/proxy/proxy_script_fetcher_impl.cc \
+	net/proxy/proxy_server.cc \
+	net/proxy/proxy_service.cc \
+	net/quic/congestion_control/available_channel_estimator.cc \
+	net/quic/congestion_control/channel_estimator.cc \
+	net/quic/congestion_control/cube_root.cc \
+	net/quic/congestion_control/cubic.cc \
+	net/quic/congestion_control/fix_rate_receiver.cc \
+	net/quic/congestion_control/fix_rate_sender.cc \
+	net/quic/congestion_control/hybrid_slow_start.cc \
+	net/quic/congestion_control/inter_arrival_bitrate_ramp_up.cc \
+	net/quic/congestion_control/inter_arrival_overuse_detector.cc \
+	net/quic/congestion_control/inter_arrival_probe.cc \
+	net/quic/congestion_control/inter_arrival_receiver.cc \
+	net/quic/congestion_control/inter_arrival_sender.cc \
+	net/quic/congestion_control/inter_arrival_state_machine.cc \
+	net/quic/congestion_control/leaky_bucket.cc \
+	net/quic/congestion_control/loss_detection_interface.cc \
+	net/quic/congestion_control/paced_sender.cc \
+	net/quic/congestion_control/pacing_sender.cc \
+	net/quic/congestion_control/receive_algorithm_interface.cc \
+	net/quic/congestion_control/rtt_stats.cc \
+	net/quic/congestion_control/send_algorithm_interface.cc \
+	net/quic/congestion_control/tcp_cubic_sender.cc \
+	net/quic/congestion_control/tcp_loss_algorithm.cc \
+	net/quic/congestion_control/tcp_receiver.cc \
+	net/quic/congestion_control/time_loss_algorithm.cc \
+	net/quic/crypto/aead_base_decrypter_openssl.cc \
+	net/quic/crypto/aead_base_encrypter_openssl.cc \
+	net/quic/crypto/aes_128_gcm_12_decrypter_openssl.cc \
+	net/quic/crypto/aes_128_gcm_12_encrypter_openssl.cc \
+	net/quic/crypto/cert_compressor.cc \
+	net/quic/crypto/chacha20_poly1305_decrypter_openssl.cc \
+	net/quic/crypto/chacha20_poly1305_encrypter_openssl.cc \
+	net/quic/crypto/channel_id.cc \
+	net/quic/crypto/channel_id_openssl.cc \
+	net/quic/crypto/common_cert_set.cc \
+	net/quic/crypto/crypto_framer.cc \
+	net/quic/crypto/crypto_handshake.cc \
+	net/quic/crypto/crypto_handshake_message.cc \
+	net/quic/crypto/crypto_secret_boxer.cc \
+	net/quic/crypto/crypto_server_config_protobuf.cc \
+	net/quic/crypto/crypto_utils.cc \
+	net/quic/crypto/curve25519_key_exchange.cc \
+	net/quic/crypto/local_strike_register_client.cc \
+	net/quic/crypto/null_decrypter.cc \
+	net/quic/crypto/null_encrypter.cc \
+	net/quic/crypto/p256_key_exchange_openssl.cc \
+	net/quic/crypto/proof_source_chromium.cc \
+	net/quic/crypto/proof_verifier_chromium.cc \
+	net/quic/crypto/quic_crypto_client_config.cc \
+	net/quic/crypto/quic_crypto_server_config.cc \
+	net/quic/crypto/quic_decrypter.cc \
+	net/quic/crypto/quic_encrypter.cc \
+	net/quic/crypto/quic_random.cc \
+	net/quic/crypto/quic_server_info.cc \
+	net/quic/crypto/scoped_evp_aead_ctx.cc \
+	net/quic/crypto/strike_register.cc \
+	net/quic/crypto/source_address_token.cc \
+	net/quic/iovector.cc \
+	net/quic/port_suggester.cc \
+	net/quic/quic_ack_notifier.cc \
+	net/quic/quic_ack_notifier_manager.cc \
+	net/quic/quic_address_mismatch.cc \
+	net/quic/quic_alarm.cc \
+	net/quic/quic_bandwidth.cc \
+	net/quic/quic_client_session.cc \
+	net/quic/quic_client_session_base.cc \
+	net/quic/quic_clock.cc \
+	net/quic/quic_config.cc \
+	net/quic/quic_connection.cc \
+	net/quic/quic_connection_helper.cc \
+	net/quic/quic_connection_logger.cc \
+	net/quic/quic_connection_stats.cc \
+	net/quic/quic_crypto_client_stream.cc \
+	net/quic/quic_crypto_server_stream.cc \
+	net/quic/quic_crypto_stream.cc \
+	net/quic/quic_data_reader.cc \
+	net/quic/quic_data_stream.cc \
+	net/quic/quic_data_writer.cc \
+	net/quic/quic_default_packet_writer.cc \
+	net/quic/quic_fec_group.cc \
+	net/quic/quic_framer.cc \
+	net/quic/quic_headers_stream.cc \
+	net/quic/quic_http_stream.cc \
+	net/quic/quic_http_utils.cc \
+	net/quic/quic_packet_creator.cc \
+	net/quic/quic_packet_generator.cc \
+	net/quic/quic_protocol.cc \
+	net/quic/quic_received_packet_manager.cc \
+	net/quic/quic_reliable_client_stream.cc \
+	net/quic/quic_sent_entropy_manager.cc \
+	net/quic/quic_sent_packet_manager.cc \
+	net/quic/quic_session.cc \
+	net/quic/quic_session_key.cc \
+	net/quic/quic_socket_address_coder.cc \
+	net/quic/quic_stream_factory.cc \
+	net/quic/quic_stream_sequencer.cc \
+	net/quic/quic_time.cc \
+	net/quic/quic_unacked_packet_map.cc \
+	net/quic/quic_utils.cc \
+	net/quic/quic_write_blocked_list.cc \
+	net/quic/reliable_quic_stream.cc \
+	net/quic/spdy_utils.cc \
+	net/socket/buffered_write_stream_socket.cc \
+	net/socket/client_socket_factory.cc \
+	net/socket/client_socket_handle.cc \
+	net/socket/client_socket_pool.cc \
+	net/socket/client_socket_pool_base.cc \
+	net/socket/client_socket_pool_histograms.cc \
+	net/socket/client_socket_pool_manager.cc \
+	net/socket/client_socket_pool_manager_impl.cc \
+	net/socket/socket_descriptor.cc \
+	net/socket/socket_net_log_params.cc \
+	net/socket/socks5_client_socket.cc \
+	net/socket/socks_client_socket.cc \
+	net/socket/socks_client_socket_pool.cc \
+	net/socket/ssl_client_socket.cc \
+	net/socket/ssl_client_socket_openssl.cc \
+	net/socket/ssl_client_socket_pool.cc \
+	net/socket/ssl_error_params.cc \
+	net/socket/ssl_server_socket_openssl.cc \
+	net/socket/ssl_session_cache_openssl.cc \
+	net/socket/stream_listen_socket.cc \
+	net/socket/stream_socket.cc \
+	net/socket/tcp_client_socket.cc \
+	net/socket/tcp_listen_socket.cc \
+	net/socket/tcp_server_socket.cc \
+	net/socket/tcp_socket.cc \
+	net/socket/tcp_socket_libevent.cc \
+	net/socket/transport_client_socket_pool.cc \
+	net/socket/unix_domain_socket_posix.cc \
+	net/socket_stream/socket_stream.cc \
+	net/socket_stream/socket_stream_job.cc \
+	net/socket_stream/socket_stream_job_manager.cc \
+	net/socket_stream/socket_stream_metrics.cc \
+	net/spdy/buffered_spdy_framer.cc \
+	net/spdy/hpack_constants.cc \
+	net/spdy/hpack_decoder.cc \
+	net/spdy/hpack_encoder.cc \
+	net/spdy/hpack_encoding_context.cc \
+	net/spdy/hpack_entry.cc \
+	net/spdy/hpack_header_table.cc \
+	net/spdy/hpack_huffman_table.cc \
+	net/spdy/hpack_input_stream.cc \
+	net/spdy/hpack_output_stream.cc \
+	net/spdy/hpack_string_util.cc \
+	net/spdy/spdy_buffer.cc \
+	net/spdy/spdy_buffer_producer.cc \
+	net/spdy/spdy_frame_builder.cc \
+	net/spdy/spdy_frame_reader.cc \
+	net/spdy/spdy_framer.cc \
+	net/spdy/spdy_header_block.cc \
+	net/spdy/spdy_headers_block_parser.cc \
+	net/spdy/spdy_http_stream.cc \
+	net/spdy/spdy_http_utils.cc \
+	net/spdy/spdy_pinnable_buffer_piece.cc \
+	net/spdy/spdy_prefixed_buffer_reader.cc \
+	net/spdy/spdy_protocol.cc \
+	net/spdy/spdy_proxy_client_socket.cc \
+	net/spdy/spdy_read_queue.cc \
+	net/spdy/spdy_session.cc \
+	net/spdy/spdy_session_key.cc \
+	net/spdy/spdy_session_pool.cc \
+	net/spdy/spdy_stream.cc \
+	net/spdy/spdy_websocket_stream.cc \
+	net/spdy/spdy_write_queue.cc \
+	net/ssl/default_server_bound_cert_store.cc \
+	net/ssl/openssl_client_key_store.cc \
+	net/ssl/server_bound_cert_service.cc \
+	net/ssl/server_bound_cert_store.cc \
+	net/ssl/signed_certificate_timestamp_and_status.cc \
+	net/ssl/ssl_cert_request_info.cc \
+	net/ssl/ssl_cipher_suite_names.cc \
+	net/ssl/ssl_client_auth_cache.cc \
+	net/ssl/ssl_config.cc \
+	net/ssl/ssl_config_service.cc \
+	net/ssl/ssl_config_service_defaults.cc \
+	net/ssl/ssl_info.cc \
+	net/udp/udp_client_socket.cc \
+	net/udp/udp_net_log_parameters.cc \
+	net/udp/udp_server_socket.cc \
+	net/udp/udp_socket_libevent.cc \
+	net/url_request/data_protocol_handler.cc \
+	net/url_request/file_protocol_handler.cc \
+	net/url_request/ftp_protocol_handler.cc \
+	net/url_request/protocol_intercept_job_factory.cc \
+	net/url_request/static_http_user_agent_settings.cc \
+	net/url_request/url_fetcher.cc \
+	net/url_request/url_fetcher_core.cc \
+	net/url_request/url_fetcher_delegate.cc \
+	net/url_request/url_fetcher_impl.cc \
+	net/url_request/url_fetcher_response_writer.cc \
+	net/url_request/url_range_request_job.cc \
+	net/url_request/url_request.cc \
+	net/url_request/url_request_about_job.cc \
+	net/url_request/url_request_context.cc \
+	net/url_request/url_request_context_builder.cc \
+	net/url_request/url_request_context_getter.cc \
+	net/url_request/url_request_context_storage.cc \
+	net/url_request/url_request_data_job.cc \
+	net/url_request/url_request_error_job.cc \
+	net/url_request/url_request_file_dir_job.cc \
+	net/url_request/url_request_file_job.cc \
+	net/url_request/url_request_filter.cc \
+	net/url_request/url_request_ftp_job.cc \
+	net/url_request/url_request_http_job.cc \
+	net/url_request/url_request_job.cc \
+	net/url_request/url_request_job_factory.cc \
+	net/url_request/url_request_job_factory_impl.cc \
+	net/url_request/url_request_job_manager.cc \
+	net/url_request/url_request_netlog_params.cc \
+	net/url_request/url_request_redirect_job.cc \
+	net/url_request/url_request_simple_job.cc \
+	net/url_request/url_request_test_job.cc \
+	net/url_request/url_request_throttler_entry.cc \
+	net/url_request/url_request_throttler_header_adapter.cc \
+	net/url_request/url_request_throttler_manager.cc \
+	net/url_request/view_cache_helper.cc \
+	net/url_request/websocket_handshake_userdata_key.cc \
+	net/websockets/websocket_basic_handshake_stream.cc \
+	net/websockets/websocket_basic_stream.cc \
+	net/websockets/websocket_channel.cc \
+	net/websockets/websocket_deflate_predictor_impl.cc \
+	net/websockets/websocket_deflate_stream.cc \
+	net/websockets/websocket_deflater.cc \
+	net/websockets/websocket_errors.cc \
+	net/websockets/websocket_extension.cc \
+	net/websockets/websocket_extension_parser.cc \
+	net/websockets/websocket_frame.cc \
+	net/websockets/websocket_frame_parser.cc \
+	net/websockets/websocket_handshake_constants.cc \
+	net/websockets/websocket_handshake_handler.cc \
+	net/websockets/websocket_handshake_request_info.cc \
+	net/websockets/websocket_handshake_response_info.cc \
+	net/websockets/websocket_handshake_stream_create_helper.cc \
+	net/websockets/websocket_inflater.cc \
+	net/websockets/websocket_job.cc \
+	net/websockets/websocket_net_log_params.cc \
+	net/websockets/websocket_stream.cc \
+	net/websockets/websocket_throttle.cc
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DNET_IMPLEMENTATION' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DENABLE_BUILT_IN_DNS' \
+	'-DU_USING_ICU_NAMESPACE=0' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH)/third_party/openssl \
+	$(LOCAL_PATH) \
+	$(LOCAL_PATH)/sdch/open-vcdiff/src \
+	$(PWD)/external/icu4c/common \
+	$(PWD)/external/icu4c/i18n \
+	$(LOCAL_PATH)/third_party/zlib \
+	$(gyp_shared_intermediate_dir)/net \
+	$(LOCAL_PATH)/third_party/openssl/config/x64 \
+	$(LOCAL_PATH)/third_party/openssl/openssl/include \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DNET_IMPLEMENTATION' \
+	'-DPOSIX_AVOID_MMAP' \
+	'-DENABLE_BUILT_IN_DNS' \
+	'-DU_USING_ICU_NAMESPACE=0' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(gyp_shared_intermediate_dir)/shim_headers/icuuc/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/icui18n/target \
+	$(gyp_shared_intermediate_dir)/shim_headers/ashmem/target \
+	$(LOCAL_PATH)/third_party/openssl \
+	$(LOCAL_PATH) \
+	$(LOCAL_PATH)/sdch/open-vcdiff/src \
+	$(PWD)/external/icu4c/common \
+	$(PWD)/external/icu4c/i18n \
+	$(LOCAL_PATH)/third_party/zlib \
+	$(gyp_shared_intermediate_dir)/net \
+	$(LOCAL_PATH)/third_party/openssl/config/x64 \
+	$(LOCAL_PATH)/third_party/openssl/openssl/include \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+
+LOCAL_LDFLAGS_Debug := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel \
+	-Wl,-O1 \
+	-Wl,--as-needed
+
+
+LOCAL_LDFLAGS_Release := \
+	-Wl,--fatal-warnings \
+	-Wl,-z,now \
+	-Wl,-z,relro \
+	-Wl,-z,noexecstack \
+	-fPIC \
+	-m64 \
+	-fuse-ld=gold \
+	-nostdlib \
+	-Wl,--no-undefined \
+	-Wl,--exclude-libs=ALL \
+	-Wl,-O1 \
+	-Wl,--as-needed \
+	-Wl,--gc-sections \
+	-Wl,--warn-shared-textrel
+
+
+LOCAL_LDFLAGS := $(LOCAL_LDFLAGS_$(GYP_CONFIGURATION))
+
+LOCAL_STATIC_LIBRARIES :=
+
+# Enable grouping to fix circular references
+LOCAL_GROUP_STATIC_LIBRARIES := true
+
+LOCAL_SHARED_LIBRARIES := \
+	libstlport \
+	libdl
+
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_gyp
+
+# Alias gyp target name.
+.PHONY: net
+net: net_net_gyp
+
+include $(BUILD_STATIC_LIBRARY)
diff --git a/net/net_errors_java.target.darwin-arm.mk b/net/net_errors_java.target.darwin-arm.mk
index 649f9325d4..a570cbff50 100644
--- a/net/net_errors_java.target.darwin-arm.mk
+++ b/net/net_errors_java.target.darwin-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.darwin-mips.mk b/net/net_errors_java.target.darwin-mips.mk
index 973cb6e70a..55a83d82d5 100644
--- a/net/net_errors_java.target.darwin-mips.mk
+++ b/net/net_errors_java.target.darwin-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.darwin-x86.mk b/net/net_errors_java.target.darwin-x86.mk
index c0bd8cd577..c41c6f336a 100644
--- a/net/net_errors_java.target.darwin-x86.mk
+++ b/net/net_errors_java.target.darwin-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.darwin-x86_64.mk b/net/net_errors_java.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..77466a9d00
--- /dev/null
+++ b/net/net_errors_java.target.darwin-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_errors_java_gyp
+LOCAL_MODULE_STEM := net_errors_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_net_errors_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'base/net_error_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/NetError.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: $(LOCAL_PATH)/net/android/java/NetError.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/base/net_error_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java" "--template=android/java/NetError.template"
+
+.PHONY: net_net_errors_java_gyp_rule_trigger
+net_net_errors_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_net_errors_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_errors_java_gyp
+
+# Alias gyp target name.
+.PHONY: net_errors_java
+net_errors_java: net_net_errors_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/net_errors_java.target.linux-arm.mk b/net/net_errors_java.target.linux-arm.mk
index 649f9325d4..a570cbff50 100644
--- a/net/net_errors_java.target.linux-arm.mk
+++ b/net/net_errors_java.target.linux-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.linux-mips.mk b/net/net_errors_java.target.linux-mips.mk
index 973cb6e70a..55a83d82d5 100644
--- a/net/net_errors_java.target.linux-mips.mk
+++ b/net/net_errors_java.target.linux-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.linux-x86.mk b/net/net_errors_java.target.linux-x86.mk
index c0bd8cd577..c41c6f336a 100644
--- a/net/net_errors_java.target.linux-x86.mk
+++ b/net/net_errors_java.target.linux-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_errors_java.target.linux-x86_64.mk b/net/net_errors_java.target.linux-x86_64.mk
new file mode 100644
index 0000000000..77466a9d00
--- /dev/null
+++ b/net/net_errors_java.target.linux-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_errors_java_gyp
+LOCAL_MODULE_STEM := net_errors_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_net_errors_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'base/net_error_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/NetError.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java: $(LOCAL_PATH)/net/android/java/NetError.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/base/net_error_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java" "--template=android/java/NetError.template"
+
+.PHONY: net_net_errors_java_gyp_rule_trigger
+net_net_errors_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/NetError.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_net_errors_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_errors_java_gyp
+
+# Alias gyp target name.
+.PHONY: net_errors_java
+net_errors_java: net_net_errors_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/net_jni_headers.target.darwin-arm.mk b/net/net_jni_headers.target.darwin-arm.mk
index 72efa8f587..aa072be114 100644
--- a/net/net_jni_headers.target.darwin-arm.mk
+++ b/net/net_jni_headers.target.darwin-arm.mk
@@ -179,6 +179,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -261,6 +262,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.darwin-mips.mk b/net/net_jni_headers.target.darwin-mips.mk
index 1fc9cf36a6..b3d4e33cdc 100644
--- a/net/net_jni_headers.target.darwin-mips.mk
+++ b/net/net_jni_headers.target.darwin-mips.mk
@@ -178,6 +178,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -259,6 +260,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.darwin-x86.mk b/net/net_jni_headers.target.darwin-x86.mk
index 2993d90cec..7341032a6e 100644
--- a/net/net_jni_headers.target.darwin-x86.mk
+++ b/net/net_jni_headers.target.darwin-x86.mk
@@ -180,6 +180,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -262,6 +263,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.darwin-x86_64.mk b/net/net_jni_headers.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..8bf705f299
--- /dev/null
+++ b/net/net_jni_headers.target.darwin-x86_64.mk
@@ -0,0 +1,318 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_jni_headers_gyp
+LOCAL_MODULE_STEM := net_jni_headers
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_net_jni_headers_target_generate_jni_headers":
+# "{'inputs': ['../base/android/jni_generator/jni_generator.py', '../android_webview/build/jarjar-rules.txt'], 'process_outputs_as_sources': '1', 'extension': 'java', 'outputs': ['$(gyp_shared_intermediate_dir)/net/jni/%(INPUT_ROOT)s_jni.h'], 'rule_name': 'generate_jni_headers', 'rule_sources': ['android/java/src/org/chromium/net/AndroidCertVerifyResult.java', 'android/java/src/org/chromium/net/AndroidKeyStore.java', 'android/java/src/org/chromium/net/AndroidNetworkLibrary.java', 'android/java/src/org/chromium/net/AndroidPrivateKey.java', 'android/java/src/org/chromium/net/GURLUtils.java', 'android/java/src/org/chromium/net/NetworkChangeNotifier.java', 'android/java/src/org/chromium/net/ProxyChangeListener.java', 'android/java/src/org/chromium/net/X509Util.java'], 'action': ['../base/android/jni_generator/jni_generator.py', '--input_file', '$(RULE_SOURCES)', '--output_dir', '$(gyp_shared_intermediate_dir)/net/jni', '--includes', 'base/android/jni_generator/jni_generator_helper.h', '--optimize_generation', '0', '--jarjar', '../android_webview/build/jarjar-rules.txt', '--ptr_type', 'long'], 'message': 'Generating JNI bindings from $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidCertVerifyResult.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidCertVerifyResult.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidKeyStore.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidKeyStore.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidNetworkLibrary.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidNetworkLibrary.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidPrivateKey.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidPrivateKey.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/GURLUtils.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/GURLUtils.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/NetworkChangeNotifier.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/NetworkChangeNotifier.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/ProxyChangeListener.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/ProxyChangeListener.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/X509Util.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/X509Util.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h \
+	net_net_jni_headers_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_jni_headers_gyp
+
+# Alias gyp target name.
+.PHONY: net_jni_headers
+net_jni_headers: net_net_jni_headers_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/net_jni_headers.target.linux-arm.mk b/net/net_jni_headers.target.linux-arm.mk
index 72efa8f587..aa072be114 100644
--- a/net/net_jni_headers.target.linux-arm.mk
+++ b/net/net_jni_headers.target.linux-arm.mk
@@ -179,6 +179,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -261,6 +262,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.linux-mips.mk b/net/net_jni_headers.target.linux-mips.mk
index 1fc9cf36a6..b3d4e33cdc 100644
--- a/net/net_jni_headers.target.linux-mips.mk
+++ b/net/net_jni_headers.target.linux-mips.mk
@@ -178,6 +178,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -259,6 +260,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.linux-x86.mk b/net/net_jni_headers.target.linux-x86.mk
index 2993d90cec..7341032a6e 100644
--- a/net/net_jni_headers.target.linux-x86.mk
+++ b/net/net_jni_headers.target.linux-x86.mk
@@ -180,6 +180,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -262,6 +263,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/net_jni_headers.target.linux-x86_64.mk b/net/net_jni_headers.target.linux-x86_64.mk
new file mode 100644
index 0000000000..8bf705f299
--- /dev/null
+++ b/net/net_jni_headers.target.linux-x86_64.mk
@@ -0,0 +1,318 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_jni_headers_gyp
+LOCAL_MODULE_STEM := net_jni_headers
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_net_jni_headers_target_generate_jni_headers":
+# "{'inputs': ['../base/android/jni_generator/jni_generator.py', '../android_webview/build/jarjar-rules.txt'], 'process_outputs_as_sources': '1', 'extension': 'java', 'outputs': ['$(gyp_shared_intermediate_dir)/net/jni/%(INPUT_ROOT)s_jni.h'], 'rule_name': 'generate_jni_headers', 'rule_sources': ['android/java/src/org/chromium/net/AndroidCertVerifyResult.java', 'android/java/src/org/chromium/net/AndroidKeyStore.java', 'android/java/src/org/chromium/net/AndroidNetworkLibrary.java', 'android/java/src/org/chromium/net/AndroidPrivateKey.java', 'android/java/src/org/chromium/net/GURLUtils.java', 'android/java/src/org/chromium/net/NetworkChangeNotifier.java', 'android/java/src/org/chromium/net/ProxyChangeListener.java', 'android/java/src/org/chromium/net/X509Util.java'], 'action': ['../base/android/jni_generator/jni_generator.py', '--input_file', '$(RULE_SOURCES)', '--output_dir', '$(gyp_shared_intermediate_dir)/net/jni', '--includes', 'base/android/jni_generator/jni_generator_helper.h', '--optimize_generation', '0', '--jarjar', '../android_webview/build/jarjar-rules.txt', '--ptr_type', 'long'], 'message': 'Generating JNI bindings from $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidCertVerifyResult.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidCertVerifyResult.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidKeyStore.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidKeyStore.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidNetworkLibrary.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidNetworkLibrary.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/AndroidPrivateKey.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/AndroidPrivateKey.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/GURLUtils.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/GURLUtils.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/NetworkChangeNotifier.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/NetworkChangeNotifier.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/ProxyChangeListener.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/ProxyChangeListener.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h
+
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h: $(LOCAL_PATH)/net/android/java/src/org/chromium/net/X509Util.java $(LOCAL_PATH)/base/android/jni_generator/jni_generator.py $(LOCAL_PATH)/android_webview/build/jarjar-rules.txt $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/net/jni; cd $(gyp_local_path)/net; ../base/android/jni_generator/jni_generator.py --input_file android/java/src/org/chromium/net/X509Util.java --output_dir "$(gyp_shared_intermediate_dir)/net/jni" --includes base/android/jni_generator/jni_generator_helper.h --optimize_generation 0 --jarjar ../android_webview/build/jarjar-rules.txt --ptr_type long
+
+.PHONY: net_net_jni_headers_gyp_rule_trigger
+net_net_jni_headers_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidCertVerifyResult_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidKeyStore_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidNetworkLibrary_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/AndroidPrivateKey_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/GURLUtils_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/NetworkChangeNotifier_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/ProxyChangeListener_jni.h \
+	$(gyp_shared_intermediate_dir)/net/jni/X509Util_jni.h \
+	net_net_jni_headers_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_jni_headers_gyp
+
+# Alias gyp target name.
+.PHONY: net_jni_headers
+net_jni_headers: net_net_jni_headers_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/net_resources.target.darwin-x86.mk b/net/net_resources.target.darwin-x86.mk
index 89ede6f743..80db67d70a 100644
--- a/net/net_resources.target.darwin-x86.mk
+++ b/net/net_resources.target.darwin-x86.mk
@@ -20,7 +20,7 @@ $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_shared_intermediate
 $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
 $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: $(LOCAL_PATH)/tools/gritsettings/resource_ids $(LOCAL_PATH)/net/base/net_resources.grd $(LOCAL_PATH)/net/base/dir_header.html $(LOCAL_PATH)/tools/grit/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit.py $(LOCAL_PATH)/tools/grit/grit/__init__.py $(LOCAL_PATH)/tools/grit/grit/clique.py $(LOCAL_PATH)/tools/grit/grit/constants.py $(LOCAL_PATH)/tools/grit/grit/exception.py $(LOCAL_PATH)/tools/grit/grit/extern/BogoFP.py $(LOCAL_PATH)/tools/grit/grit/extern/FP.py $(LOCAL_PATH)/tools/grit/grit/extern/__init__.py $(LOCAL_PATH)/tools/grit/grit/extern/tclib.py $(LOCAL_PATH)/tools/grit/grit/format/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/android_xml.py $(LOCAL_PATH)/tools/grit/grit/format/c_format.py $(LOCAL_PATH)/tools/grit/grit/format/chrome_messages_json.py $(LOCAL_PATH)/tools/grit/grit/format/data_pack.py $(LOCAL_PATH)/tools/grit/grit/format/html_inline.py $(LOCAL_PATH)/tools/grit/grit/format/js_map_format.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/policy_template_generator.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/template_formatter.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writer_configuration.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adm_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adml_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/admx_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/doc_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/json_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/mock_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_helper.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_strings_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/reg_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/template_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/writer_unittest_common.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/xml_formatted_writer.py $(LOCAL_PATH)/tools/grit/grit/format/rc.py $(LOCAL_PATH)/tools/grit/grit/format/rc_header.py $(LOCAL_PATH)/tools/grit/grit/format/repack.py $(LOCAL_PATH)/tools/grit/grit/format/resource_map.py $(LOCAL_PATH)/tools/grit/grit/gather/__init__.py $(LOCAL_PATH)/tools/grit/grit/gather/admin_template.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_html.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_scaled_image.py $(LOCAL_PATH)/tools/grit/grit/gather/igoogle_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/interface.py $(LOCAL_PATH)/tools/grit/grit/gather/json_loader.py $(LOCAL_PATH)/tools/grit/grit/gather/muppet_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/policy_json.py $(LOCAL_PATH)/tools/grit/grit/gather/rc.py $(LOCAL_PATH)/tools/grit/grit/gather/regexp.py $(LOCAL_PATH)/tools/grit/grit/gather/skeleton_gatherer.py $(LOCAL_PATH)/tools/grit/grit/gather/tr_html.py $(LOCAL_PATH)/tools/grit/grit/gather/txt.py $(LOCAL_PATH)/tools/grit/grit/grd_reader.py $(LOCAL_PATH)/tools/grit/grit/grit_runner.py $(LOCAL_PATH)/tools/grit/grit/lazy_re.py $(LOCAL_PATH)/tools/grit/grit/node/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/base.py $(LOCAL_PATH)/tools/grit/grit/node/custom/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/custom/filename.py $(LOCAL_PATH)/tools/grit/grit/node/empty.py $(LOCAL_PATH)/tools/grit/grit/node/include.py $(LOCAL_PATH)/tools/grit/grit/node/io.py $(LOCAL_PATH)/tools/grit/grit/node/mapping.py $(LOCAL_PATH)/tools/grit/grit/node/message.py $(LOCAL_PATH)/tools/grit/grit/node/misc.py $(LOCAL_PATH)/tools/grit/grit/node/structure.py $(LOCAL_PATH)/tools/grit/grit/node/variant.py $(LOCAL_PATH)/tools/grit/grit/pseudo.py $(LOCAL_PATH)/tools/grit/grit/pseudo_rtl.py $(LOCAL_PATH)/tools/grit/grit/scons.py $(LOCAL_PATH)/tools/grit/grit/shortcuts.py $(LOCAL_PATH)/tools/grit/grit/shortcuts_unittests.py $(LOCAL_PATH)/tools/grit/grit/tclib.py $(LOCAL_PATH)/tools/grit/grit/test_suite_all.py $(LOCAL_PATH)/tools/grit/grit/tool/__init__.py $(LOCAL_PATH)/tools/grit/grit/tool/android2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/build.py $(LOCAL_PATH)/tools/grit/grit/tool/buildinfo.py $(LOCAL_PATH)/tools/grit/grit/tool/count.py $(LOCAL_PATH)/tools/grit/grit/tool/diff_structures.py $(LOCAL_PATH)/tools/grit/grit/tool/interface.py $(LOCAL_PATH)/tools/grit/grit/tool/menu_from_parts.py $(LOCAL_PATH)/tools/grit/grit/tool/newgrd.py $(LOCAL_PATH)/tools/grit/grit/tool/postprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/preprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/rc2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/resize.py $(LOCAL_PATH)/tools/grit/grit/tool/test.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_postprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_preprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/transl2tc.py $(LOCAL_PATH)/tools/grit/grit/tool/unit.py $(LOCAL_PATH)/tools/grit/grit/tool/xmb.py $(LOCAL_PATH)/tools/grit/grit/util.py $(LOCAL_PATH)/tools/grit/grit/xtb_reader.py $(LOCAL_PATH)/tools/grit/grit_info.py $(GYP_TARGET_DEPENDENCIES)
 	@echo "Gyp action: Generating resources from base/net_resources.grd ($@)"
-	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -D use_webaudio_enable_message -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
+	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
 
 $(gyp_shared_intermediate_dir)/net/net_resources.pak: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
 $(gyp_shared_intermediate_dir)/net/net_resources.rc: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
diff --git a/net/net_resources.target.darwin-x86_64.mk b/net/net_resources.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..80db67d70a
--- /dev/null
+++ b/net/net_resources.target.darwin-x86_64.mk
@@ -0,0 +1,54 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_resources_gyp
+LOCAL_MODULE_STEM := net_resources
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+### Rules for action "net_resources":
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: $(LOCAL_PATH)/tools/gritsettings/resource_ids $(LOCAL_PATH)/net/base/net_resources.grd $(LOCAL_PATH)/net/base/dir_header.html $(LOCAL_PATH)/tools/grit/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit.py $(LOCAL_PATH)/tools/grit/grit/__init__.py $(LOCAL_PATH)/tools/grit/grit/clique.py $(LOCAL_PATH)/tools/grit/grit/constants.py $(LOCAL_PATH)/tools/grit/grit/exception.py $(LOCAL_PATH)/tools/grit/grit/extern/BogoFP.py $(LOCAL_PATH)/tools/grit/grit/extern/FP.py $(LOCAL_PATH)/tools/grit/grit/extern/__init__.py $(LOCAL_PATH)/tools/grit/grit/extern/tclib.py $(LOCAL_PATH)/tools/grit/grit/format/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/android_xml.py $(LOCAL_PATH)/tools/grit/grit/format/c_format.py $(LOCAL_PATH)/tools/grit/grit/format/chrome_messages_json.py $(LOCAL_PATH)/tools/grit/grit/format/data_pack.py $(LOCAL_PATH)/tools/grit/grit/format/html_inline.py $(LOCAL_PATH)/tools/grit/grit/format/js_map_format.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/policy_template_generator.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/template_formatter.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writer_configuration.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adm_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adml_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/admx_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/doc_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/json_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/mock_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_helper.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_strings_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/reg_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/template_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/writer_unittest_common.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/xml_formatted_writer.py $(LOCAL_PATH)/tools/grit/grit/format/rc.py $(LOCAL_PATH)/tools/grit/grit/format/rc_header.py $(LOCAL_PATH)/tools/grit/grit/format/repack.py $(LOCAL_PATH)/tools/grit/grit/format/resource_map.py $(LOCAL_PATH)/tools/grit/grit/gather/__init__.py $(LOCAL_PATH)/tools/grit/grit/gather/admin_template.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_html.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_scaled_image.py $(LOCAL_PATH)/tools/grit/grit/gather/igoogle_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/interface.py $(LOCAL_PATH)/tools/grit/grit/gather/json_loader.py $(LOCAL_PATH)/tools/grit/grit/gather/muppet_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/policy_json.py $(LOCAL_PATH)/tools/grit/grit/gather/rc.py $(LOCAL_PATH)/tools/grit/grit/gather/regexp.py $(LOCAL_PATH)/tools/grit/grit/gather/skeleton_gatherer.py $(LOCAL_PATH)/tools/grit/grit/gather/tr_html.py $(LOCAL_PATH)/tools/grit/grit/gather/txt.py $(LOCAL_PATH)/tools/grit/grit/grd_reader.py $(LOCAL_PATH)/tools/grit/grit/grit_runner.py $(LOCAL_PATH)/tools/grit/grit/lazy_re.py $(LOCAL_PATH)/tools/grit/grit/node/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/base.py $(LOCAL_PATH)/tools/grit/grit/node/custom/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/custom/filename.py $(LOCAL_PATH)/tools/grit/grit/node/empty.py $(LOCAL_PATH)/tools/grit/grit/node/include.py $(LOCAL_PATH)/tools/grit/grit/node/io.py $(LOCAL_PATH)/tools/grit/grit/node/mapping.py $(LOCAL_PATH)/tools/grit/grit/node/message.py $(LOCAL_PATH)/tools/grit/grit/node/misc.py $(LOCAL_PATH)/tools/grit/grit/node/structure.py $(LOCAL_PATH)/tools/grit/grit/node/variant.py $(LOCAL_PATH)/tools/grit/grit/pseudo.py $(LOCAL_PATH)/tools/grit/grit/pseudo_rtl.py $(LOCAL_PATH)/tools/grit/grit/scons.py $(LOCAL_PATH)/tools/grit/grit/shortcuts.py $(LOCAL_PATH)/tools/grit/grit/shortcuts_unittests.py $(LOCAL_PATH)/tools/grit/grit/tclib.py $(LOCAL_PATH)/tools/grit/grit/test_suite_all.py $(LOCAL_PATH)/tools/grit/grit/tool/__init__.py $(LOCAL_PATH)/tools/grit/grit/tool/android2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/build.py $(LOCAL_PATH)/tools/grit/grit/tool/buildinfo.py $(LOCAL_PATH)/tools/grit/grit/tool/count.py $(LOCAL_PATH)/tools/grit/grit/tool/diff_structures.py $(LOCAL_PATH)/tools/grit/grit/tool/interface.py $(LOCAL_PATH)/tools/grit/grit/tool/menu_from_parts.py $(LOCAL_PATH)/tools/grit/grit/tool/newgrd.py $(LOCAL_PATH)/tools/grit/grit/tool/postprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/preprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/rc2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/resize.py $(LOCAL_PATH)/tools/grit/grit/tool/test.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_postprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_preprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/transl2tc.py $(LOCAL_PATH)/tools/grit/grit/tool/unit.py $(LOCAL_PATH)/tools/grit/grit/tool/xmb.py $(LOCAL_PATH)/tools/grit/grit/util.py $(LOCAL_PATH)/tools/grit/grit/xtb_reader.py $(LOCAL_PATH)/tools/grit/grit_info.py $(GYP_TARGET_DEPENDENCIES)
+	@echo "Gyp action: Generating resources from base/net_resources.grd ($@)"
+	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
+
+$(gyp_shared_intermediate_dir)/net/net_resources.pak: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
+$(gyp_shared_intermediate_dir)/net/net_resources.rc: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
+
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/net/grit/net_resources.h \
+	$(gyp_shared_intermediate_dir)/net/net_resources.pak \
+	$(gyp_shared_intermediate_dir)/net/net_resources.rc
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_resources_gyp
+
+# Alias gyp target name.
+.PHONY: net_resources
+net_resources: net_net_resources_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/net_resources.target.linux-x86.mk b/net/net_resources.target.linux-x86.mk
index 89ede6f743..80db67d70a 100644
--- a/net/net_resources.target.linux-x86.mk
+++ b/net/net_resources.target.linux-x86.mk
@@ -20,7 +20,7 @@ $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_shared_intermediate
 $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
 $(gyp_shared_intermediate_dir)/net/grit/net_resources.h: $(LOCAL_PATH)/tools/gritsettings/resource_ids $(LOCAL_PATH)/net/base/net_resources.grd $(LOCAL_PATH)/net/base/dir_header.html $(LOCAL_PATH)/tools/grit/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit.py $(LOCAL_PATH)/tools/grit/grit/__init__.py $(LOCAL_PATH)/tools/grit/grit/clique.py $(LOCAL_PATH)/tools/grit/grit/constants.py $(LOCAL_PATH)/tools/grit/grit/exception.py $(LOCAL_PATH)/tools/grit/grit/extern/BogoFP.py $(LOCAL_PATH)/tools/grit/grit/extern/FP.py $(LOCAL_PATH)/tools/grit/grit/extern/__init__.py $(LOCAL_PATH)/tools/grit/grit/extern/tclib.py $(LOCAL_PATH)/tools/grit/grit/format/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/android_xml.py $(LOCAL_PATH)/tools/grit/grit/format/c_format.py $(LOCAL_PATH)/tools/grit/grit/format/chrome_messages_json.py $(LOCAL_PATH)/tools/grit/grit/format/data_pack.py $(LOCAL_PATH)/tools/grit/grit/format/html_inline.py $(LOCAL_PATH)/tools/grit/grit/format/js_map_format.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/policy_template_generator.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/template_formatter.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writer_configuration.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adm_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adml_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/admx_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/doc_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/json_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/mock_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_helper.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_strings_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/reg_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/template_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/writer_unittest_common.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/xml_formatted_writer.py $(LOCAL_PATH)/tools/grit/grit/format/rc.py $(LOCAL_PATH)/tools/grit/grit/format/rc_header.py $(LOCAL_PATH)/tools/grit/grit/format/repack.py $(LOCAL_PATH)/tools/grit/grit/format/resource_map.py $(LOCAL_PATH)/tools/grit/grit/gather/__init__.py $(LOCAL_PATH)/tools/grit/grit/gather/admin_template.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_html.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_scaled_image.py $(LOCAL_PATH)/tools/grit/grit/gather/igoogle_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/interface.py $(LOCAL_PATH)/tools/grit/grit/gather/json_loader.py $(LOCAL_PATH)/tools/grit/grit/gather/muppet_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/policy_json.py $(LOCAL_PATH)/tools/grit/grit/gather/rc.py $(LOCAL_PATH)/tools/grit/grit/gather/regexp.py $(LOCAL_PATH)/tools/grit/grit/gather/skeleton_gatherer.py $(LOCAL_PATH)/tools/grit/grit/gather/tr_html.py $(LOCAL_PATH)/tools/grit/grit/gather/txt.py $(LOCAL_PATH)/tools/grit/grit/grd_reader.py $(LOCAL_PATH)/tools/grit/grit/grit_runner.py $(LOCAL_PATH)/tools/grit/grit/lazy_re.py $(LOCAL_PATH)/tools/grit/grit/node/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/base.py $(LOCAL_PATH)/tools/grit/grit/node/custom/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/custom/filename.py $(LOCAL_PATH)/tools/grit/grit/node/empty.py $(LOCAL_PATH)/tools/grit/grit/node/include.py $(LOCAL_PATH)/tools/grit/grit/node/io.py $(LOCAL_PATH)/tools/grit/grit/node/mapping.py $(LOCAL_PATH)/tools/grit/grit/node/message.py $(LOCAL_PATH)/tools/grit/grit/node/misc.py $(LOCAL_PATH)/tools/grit/grit/node/structure.py $(LOCAL_PATH)/tools/grit/grit/node/variant.py $(LOCAL_PATH)/tools/grit/grit/pseudo.py $(LOCAL_PATH)/tools/grit/grit/pseudo_rtl.py $(LOCAL_PATH)/tools/grit/grit/scons.py $(LOCAL_PATH)/tools/grit/grit/shortcuts.py $(LOCAL_PATH)/tools/grit/grit/shortcuts_unittests.py $(LOCAL_PATH)/tools/grit/grit/tclib.py $(LOCAL_PATH)/tools/grit/grit/test_suite_all.py $(LOCAL_PATH)/tools/grit/grit/tool/__init__.py $(LOCAL_PATH)/tools/grit/grit/tool/android2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/build.py $(LOCAL_PATH)/tools/grit/grit/tool/buildinfo.py $(LOCAL_PATH)/tools/grit/grit/tool/count.py $(LOCAL_PATH)/tools/grit/grit/tool/diff_structures.py $(LOCAL_PATH)/tools/grit/grit/tool/interface.py $(LOCAL_PATH)/tools/grit/grit/tool/menu_from_parts.py $(LOCAL_PATH)/tools/grit/grit/tool/newgrd.py $(LOCAL_PATH)/tools/grit/grit/tool/postprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/preprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/rc2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/resize.py $(LOCAL_PATH)/tools/grit/grit/tool/test.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_postprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_preprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/transl2tc.py $(LOCAL_PATH)/tools/grit/grit/tool/unit.py $(LOCAL_PATH)/tools/grit/grit/tool/xmb.py $(LOCAL_PATH)/tools/grit/grit/util.py $(LOCAL_PATH)/tools/grit/grit/xtb_reader.py $(LOCAL_PATH)/tools/grit/grit_info.py $(GYP_TARGET_DEPENDENCIES)
 	@echo "Gyp action: Generating resources from base/net_resources.grd ($@)"
-	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -D use_webaudio_enable_message -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
+	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
 
 $(gyp_shared_intermediate_dir)/net/net_resources.pak: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
 $(gyp_shared_intermediate_dir)/net/net_resources.rc: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
diff --git a/net/net_resources.target.linux-x86_64.mk b/net/net_resources.target.linux-x86_64.mk
new file mode 100644
index 0000000000..80db67d70a
--- /dev/null
+++ b/net/net_resources.target.linux-x86_64.mk
@@ -0,0 +1,54 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_net_resources_gyp
+LOCAL_MODULE_STEM := net_resources
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+### Rules for action "net_resources":
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/net/grit/net_resources.h: $(LOCAL_PATH)/tools/gritsettings/resource_ids $(LOCAL_PATH)/net/base/net_resources.grd $(LOCAL_PATH)/net/base/dir_header.html $(LOCAL_PATH)/tools/grit/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit.py $(LOCAL_PATH)/tools/grit/grit/__init__.py $(LOCAL_PATH)/tools/grit/grit/clique.py $(LOCAL_PATH)/tools/grit/grit/constants.py $(LOCAL_PATH)/tools/grit/grit/exception.py $(LOCAL_PATH)/tools/grit/grit/extern/BogoFP.py $(LOCAL_PATH)/tools/grit/grit/extern/FP.py $(LOCAL_PATH)/tools/grit/grit/extern/__init__.py $(LOCAL_PATH)/tools/grit/grit/extern/tclib.py $(LOCAL_PATH)/tools/grit/grit/format/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/android_xml.py $(LOCAL_PATH)/tools/grit/grit/format/c_format.py $(LOCAL_PATH)/tools/grit/grit/format/chrome_messages_json.py $(LOCAL_PATH)/tools/grit/grit/format/data_pack.py $(LOCAL_PATH)/tools/grit/grit/format/html_inline.py $(LOCAL_PATH)/tools/grit/grit/format/js_map_format.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/PRESUBMIT.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/policy_template_generator.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/template_formatter.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writer_configuration.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/__init__.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adm_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/adml_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/admx_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/doc_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/json_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/mock_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_helper.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_strings_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/plist_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/reg_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/template_writer.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/writer_unittest_common.py $(LOCAL_PATH)/tools/grit/grit/format/policy_templates/writers/xml_formatted_writer.py $(LOCAL_PATH)/tools/grit/grit/format/rc.py $(LOCAL_PATH)/tools/grit/grit/format/rc_header.py $(LOCAL_PATH)/tools/grit/grit/format/repack.py $(LOCAL_PATH)/tools/grit/grit/format/resource_map.py $(LOCAL_PATH)/tools/grit/grit/gather/__init__.py $(LOCAL_PATH)/tools/grit/grit/gather/admin_template.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_html.py $(LOCAL_PATH)/tools/grit/grit/gather/chrome_scaled_image.py $(LOCAL_PATH)/tools/grit/grit/gather/igoogle_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/interface.py $(LOCAL_PATH)/tools/grit/grit/gather/json_loader.py $(LOCAL_PATH)/tools/grit/grit/gather/muppet_strings.py $(LOCAL_PATH)/tools/grit/grit/gather/policy_json.py $(LOCAL_PATH)/tools/grit/grit/gather/rc.py $(LOCAL_PATH)/tools/grit/grit/gather/regexp.py $(LOCAL_PATH)/tools/grit/grit/gather/skeleton_gatherer.py $(LOCAL_PATH)/tools/grit/grit/gather/tr_html.py $(LOCAL_PATH)/tools/grit/grit/gather/txt.py $(LOCAL_PATH)/tools/grit/grit/grd_reader.py $(LOCAL_PATH)/tools/grit/grit/grit_runner.py $(LOCAL_PATH)/tools/grit/grit/lazy_re.py $(LOCAL_PATH)/tools/grit/grit/node/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/base.py $(LOCAL_PATH)/tools/grit/grit/node/custom/__init__.py $(LOCAL_PATH)/tools/grit/grit/node/custom/filename.py $(LOCAL_PATH)/tools/grit/grit/node/empty.py $(LOCAL_PATH)/tools/grit/grit/node/include.py $(LOCAL_PATH)/tools/grit/grit/node/io.py $(LOCAL_PATH)/tools/grit/grit/node/mapping.py $(LOCAL_PATH)/tools/grit/grit/node/message.py $(LOCAL_PATH)/tools/grit/grit/node/misc.py $(LOCAL_PATH)/tools/grit/grit/node/structure.py $(LOCAL_PATH)/tools/grit/grit/node/variant.py $(LOCAL_PATH)/tools/grit/grit/pseudo.py $(LOCAL_PATH)/tools/grit/grit/pseudo_rtl.py $(LOCAL_PATH)/tools/grit/grit/scons.py $(LOCAL_PATH)/tools/grit/grit/shortcuts.py $(LOCAL_PATH)/tools/grit/grit/shortcuts_unittests.py $(LOCAL_PATH)/tools/grit/grit/tclib.py $(LOCAL_PATH)/tools/grit/grit/test_suite_all.py $(LOCAL_PATH)/tools/grit/grit/tool/__init__.py $(LOCAL_PATH)/tools/grit/grit/tool/android2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/build.py $(LOCAL_PATH)/tools/grit/grit/tool/buildinfo.py $(LOCAL_PATH)/tools/grit/grit/tool/count.py $(LOCAL_PATH)/tools/grit/grit/tool/diff_structures.py $(LOCAL_PATH)/tools/grit/grit/tool/interface.py $(LOCAL_PATH)/tools/grit/grit/tool/menu_from_parts.py $(LOCAL_PATH)/tools/grit/grit/tool/newgrd.py $(LOCAL_PATH)/tools/grit/grit/tool/postprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/preprocess_interface.py $(LOCAL_PATH)/tools/grit/grit/tool/rc2grd.py $(LOCAL_PATH)/tools/grit/grit/tool/resize.py $(LOCAL_PATH)/tools/grit/grit/tool/test.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_postprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/toolbar_preprocess.py $(LOCAL_PATH)/tools/grit/grit/tool/transl2tc.py $(LOCAL_PATH)/tools/grit/grit/tool/unit.py $(LOCAL_PATH)/tools/grit/grit/tool/xmb.py $(LOCAL_PATH)/tools/grit/grit/util.py $(LOCAL_PATH)/tools/grit/grit/xtb_reader.py $(LOCAL_PATH)/tools/grit/grit_info.py $(GYP_TARGET_DEPENDENCIES)
+	@echo "Gyp action: Generating resources from base/net_resources.grd ($@)"
+	$(hide)cd $(gyp_local_path)/net; mkdir -p $(gyp_shared_intermediate_dir)/net/grit $(gyp_shared_intermediate_dir)/net; python ../tools/grit/grit.py -i base/net_resources.grd build -f ../tools/gritsettings/resource_ids -o "$(gyp_shared_intermediate_dir)/net" -D _chromium -E "CHROMIUM_BUILD=chromium" -t android -E "ANDROID_JAVA_TAGGED_ONLY=true" -D enable_printing -D use_concatenated_impulse_responses
+
+$(gyp_shared_intermediate_dir)/net/net_resources.pak: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
+$(gyp_shared_intermediate_dir)/net/net_resources.rc: $(gyp_shared_intermediate_dir)/net/grit/net_resources.h ;
+
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/net/grit/net_resources.h \
+	$(gyp_shared_intermediate_dir)/net/net_resources.pak \
+	$(gyp_shared_intermediate_dir)/net/net_resources.rc
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_net_resources_gyp
+
+# Alias gyp target name.
+.PHONY: net_resources
+net_resources: net_net_resources_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/private_key_types_java.target.darwin-arm.mk b/net/private_key_types_java.target.darwin-arm.mk
index 047e4466a7..96c213cb3a 100644
--- a/net/private_key_types_java.target.darwin-arm.mk
+++ b/net/private_key_types_java.target.darwin-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.darwin-mips.mk b/net/private_key_types_java.target.darwin-mips.mk
index 7911a78315..9358619503 100644
--- a/net/private_key_types_java.target.darwin-mips.mk
+++ b/net/private_key_types_java.target.darwin-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.darwin-x86.mk b/net/private_key_types_java.target.darwin-x86.mk
index 50c0dff470..e1cd167fce 100644
--- a/net/private_key_types_java.target.darwin-x86.mk
+++ b/net/private_key_types_java.target.darwin-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.darwin-x86_64.mk b/net/private_key_types_java.target.darwin-x86_64.mk
new file mode 100644
index 0000000000..6059d01e14
--- /dev/null
+++ b/net/private_key_types_java.target.darwin-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_private_key_types_java_gyp
+LOCAL_MODULE_STEM := private_key_types_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_private_key_types_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'android/private_key_type_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/PrivateKeyType.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: $(LOCAL_PATH)/net/android/java/PrivateKeyType.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/android/private_key_type_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java" "--template=android/java/PrivateKeyType.template"
+
+.PHONY: net_private_key_types_java_gyp_rule_trigger
+net_private_key_types_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_private_key_types_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_private_key_types_java_gyp
+
+# Alias gyp target name.
+.PHONY: private_key_types_java
+private_key_types_java: net_private_key_types_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/private_key_types_java.target.linux-arm.mk b/net/private_key_types_java.target.linux-arm.mk
index 047e4466a7..96c213cb3a 100644
--- a/net/private_key_types_java.target.linux-arm.mk
+++ b/net/private_key_types_java.target.linux-arm.mk
@@ -94,6 +94,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -176,6 +177,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.linux-mips.mk b/net/private_key_types_java.target.linux-mips.mk
index 7911a78315..9358619503 100644
--- a/net/private_key_types_java.target.linux-mips.mk
+++ b/net/private_key_types_java.target.linux-mips.mk
@@ -93,6 +93,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -174,6 +175,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.linux-x86.mk b/net/private_key_types_java.target.linux-x86.mk
index 50c0dff470..e1cd167fce 100644
--- a/net/private_key_types_java.target.linux-x86.mk
+++ b/net/private_key_types_java.target.linux-x86.mk
@@ -95,6 +95,7 @@ MY_DEFS_Debug := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
@@ -177,6 +178,7 @@ MY_DEFS_Release := \
 	'-DENABLE_PRINTING=1' \
 	'-DENABLE_MANAGED_USERS=1' \
 	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
 	'-D__STDC_CONSTANT_MACROS' \
 	'-D__STDC_FORMAT_MACROS' \
 	'-DANDROID' \
diff --git a/net/private_key_types_java.target.linux-x86_64.mk b/net/private_key_types_java.target.linux-x86_64.mk
new file mode 100644
index 0000000000..6059d01e14
--- /dev/null
+++ b/net/private_key_types_java.target.linux-x86_64.mk
@@ -0,0 +1,233 @@
+# This file is generated by gyp; do not edit.
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_CLASS := GYP
+LOCAL_MODULE := net_private_key_types_java_gyp
+LOCAL_MODULE_STEM := private_key_types_java
+LOCAL_MODULE_SUFFIX := .stamp
+LOCAL_MODULE_TAGS := optional
+gyp_intermediate_dir := $(call local-intermediates-dir)
+gyp_shared_intermediate_dir := $(call intermediates-dir-for,GYP,shared)
+
+# Make sure our deps are built first.
+GYP_TARGET_DEPENDENCIES :=
+
+
+### Generated for rule "net_net_gyp_private_key_types_java_target_generate_java_constants":
+# "{'inputs': ['../build/android/gyp/util/build_utils.py', '../build/android/gyp/gcc_preprocess.py', 'android/private_key_type_list.h'], 'extension': 'template', 'outputs': ['$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'], 'variables': {'output_path': '$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java'}, 'rule_name': 'generate_java_constants', 'rule_sources': ['android/java/PrivateKeyType.template'], 'action': ['python', '../build/android/gyp/gcc_preprocess.py', '--include-path=..', '--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/%(INPUT_ROOT)s.java', '--template=$(RULE_SOURCES)'], 'message': 'Generating Java from cpp template $(RULE_SOURCES)'}":
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_local_path := $(LOCAL_PATH)
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_intermediate_dir := $(abspath $(gyp_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: gyp_shared_intermediate_dir := $(abspath $(gyp_shared_intermediate_dir))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: export PATH := $(subst $(ANDROID_BUILD_PATHS),,$(PATH))
+$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java: $(LOCAL_PATH)/net/android/java/PrivateKeyType.template $(LOCAL_PATH)/build/android/gyp/util/build_utils.py $(LOCAL_PATH)/build/android/gyp/gcc_preprocess.py $(LOCAL_PATH)/net/android/private_key_type_list.h $(GYP_TARGET_DEPENDENCIES)
+	mkdir -p $(gyp_shared_intermediate_dir)/templates/org/chromium/net; cd $(gyp_local_path)/net; python ../build/android/gyp/gcc_preprocess.py "--include-path=.." "--output=$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java" "--template=android/java/PrivateKeyType.template"
+
+.PHONY: net_private_key_types_java_gyp_rule_trigger
+net_private_key_types_java_gyp_rule_trigger: $(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java
+
+### Finished generating for all rules
+
+GYP_GENERATED_OUTPUTS := \
+	$(gyp_shared_intermediate_dir)/templates/org/chromium/net/PrivateKeyType.java
+
+# Make sure our deps and generated files are built first.
+LOCAL_ADDITIONAL_DEPENDENCIES := $(GYP_TARGET_DEPENDENCIES) $(GYP_GENERATED_OUTPUTS)
+
+LOCAL_GENERATED_SOURCES := \
+	net_private_key_types_java_gyp_rule_trigger
+
+GYP_COPIED_SOURCE_ORIGIN_DIRS :=
+
+LOCAL_SRC_FILES :=
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Debug := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-g \
+	-fomit-frame-pointer \
+	-fdata-sections \
+	-ffunction-sections \
+	-funwind-tables
+
+MY_DEFS_Debug := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=1' \
+	'-DWTF_USE_DYNAMIC_ANNOTATIONS=1' \
+	'-D_DEBUG'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Debug := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Debug := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+# Flags passed to both C and C++ files.
+MY_CFLAGS_Release := \
+	-fstack-protector \
+	--param=ssp-buffer-size=4 \
+	-Werror \
+	-fno-exceptions \
+	-fno-strict-aliasing \
+	-Wall \
+	-Wno-unused-parameter \
+	-Wno-missing-field-initializers \
+	-fvisibility=hidden \
+	-pipe \
+	-fPIC \
+	-Wno-unused-local-typedefs \
+	-m64 \
+	-march=x86-64 \
+	-fuse-ld=gold \
+	-ffunction-sections \
+	-funwind-tables \
+	-g \
+	-fstack-protector \
+	-fno-short-enums \
+	-finline-limit=64 \
+	-Wa,--noexecstack \
+	-U_FORTIFY_SOURCE \
+	-Wno-extra \
+	-Wno-ignored-qualifiers \
+	-Wno-type-limits \
+	-Wno-unused-but-set-variable \
+	-Os \
+	-fno-ident \
+	-fdata-sections \
+	-ffunction-sections \
+	-fomit-frame-pointer \
+	-funwind-tables
+
+MY_DEFS_Release := \
+	'-DV8_DEPRECATION_WARNINGS' \
+	'-DBLINK_SCALE_FILTERS_AT_RECORD_TIME' \
+	'-D_FILE_OFFSET_BITS=64' \
+	'-DNO_TCMALLOC' \
+	'-DDISABLE_NACL' \
+	'-DCHROMIUM_BUILD' \
+	'-DUSE_LIBJPEG_TURBO=1' \
+	'-DUSE_PROPRIETARY_CODECS' \
+	'-DENABLE_CONFIGURATION_POLICY' \
+	'-DDISCARDABLE_MEMORY_ALWAYS_SUPPORTED_NATIVELY' \
+	'-DSYSTEM_NATIVELY_SIGNALS_MEMORY_PRESSURE' \
+	'-DENABLE_EGLIMAGE=1' \
+	'-DCLD_VERSION=1' \
+	'-DENABLE_PRINTING=1' \
+	'-DENABLE_MANAGED_USERS=1' \
+	'-DUSE_OPENSSL=1' \
+	'-DUSE_OPENSSL_CERTS=1' \
+	'-D__STDC_CONSTANT_MACROS' \
+	'-D__STDC_FORMAT_MACROS' \
+	'-DANDROID' \
+	'-D__GNU_SOURCE=1' \
+	'-DUSE_STLPORT=1' \
+	'-D_STLP_USE_PTR_SPECIALIZATIONS=1' \
+	'-DCHROME_BUILD_ID=""' \
+	'-DNDEBUG' \
+	'-DNVALGRIND' \
+	'-DDYNAMIC_ANNOTATIONS_ENABLED=0' \
+	'-D_FORTIFY_SOURCE=2'
+
+
+# Include paths placed before CFLAGS/CPPFLAGS
+LOCAL_C_INCLUDES_Release := \
+	$(PWD)/frameworks/wilhelm/include \
+	$(PWD)/bionic \
+	$(PWD)/external/stlport/stlport
+
+
+# Flags passed to only C++ (and not C) files.
+LOCAL_CPPFLAGS_Release := \
+	-fno-rtti \
+	-fno-threadsafe-statics \
+	-fvisibility-inlines-hidden \
+	-Wsign-compare \
+	-Wno-non-virtual-dtor \
+	-Wno-sign-promo
+
+
+LOCAL_CFLAGS := $(MY_CFLAGS_$(GYP_CONFIGURATION)) $(MY_DEFS_$(GYP_CONFIGURATION))
+LOCAL_C_INCLUDES := $(GYP_COPIED_SOURCE_ORIGIN_DIRS) $(LOCAL_C_INCLUDES_$(GYP_CONFIGURATION))
+LOCAL_CPPFLAGS := $(LOCAL_CPPFLAGS_$(GYP_CONFIGURATION))
+LOCAL_ASFLAGS := $(LOCAL_CFLAGS)
+### Rules for final target.
+# Add target alias to "gyp_all_modules" target.
+.PHONY: gyp_all_modules
+gyp_all_modules: net_private_key_types_java_gyp
+
+# Alias gyp target name.
+.PHONY: private_key_types_java
+private_key_types_java: net_private_key_types_java_gyp
+
+LOCAL_MODULE_PATH := $(PRODUCT_OUT)/gyp_stamp
+LOCAL_UNINSTALLABLE_MODULE := true
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(LOCAL_ADDITIONAL_DEPENDENCIES)
+	$(hide) echo "Gyp timestamp: $@"
+	$(hide) mkdir -p $(dir $@)
+	$(hide) touch $@
diff --git a/net/proxy/network_delegate_error_observer_unittest.cc b/net/proxy/network_delegate_error_observer_unittest.cc
index a893cbafd2..1f6330f0dd 100644
--- a/net/proxy/network_delegate_error_observer_unittest.cc
+++ b/net/proxy/network_delegate_error_observer_unittest.cc
@@ -41,7 +41,8 @@ class TestNetworkDelegate : public net::NetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers) OVERRIDE {
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE {
     return net::OK;
   }
   virtual void OnBeforeRedirect(URLRequest* request,
diff --git a/net/proxy/proxy_script_fetcher_impl_unittest.cc b/net/proxy/proxy_script_fetcher_impl_unittest.cc
index 2dbcfed521..f0505540ed 100644
--- a/net/proxy/proxy_script_fetcher_impl_unittest.cc
+++ b/net/proxy/proxy_script_fetcher_impl_unittest.cc
@@ -126,8 +126,8 @@ class BasicNetworkDelegate : public NetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers)
-      OVERRIDE {
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE {
     return OK;
   }
 
diff --git a/net/quic/crypto/chacha20_poly1305_decrypter.h b/net/quic/crypto/chacha20_poly1305_decrypter.h
index 638fb4a09f..b53d64a788 100644
--- a/net/quic/crypto/chacha20_poly1305_decrypter.h
+++ b/net/quic/crypto/chacha20_poly1305_decrypter.h
@@ -11,7 +11,8 @@ namespace net {
 
 // A ChaCha20Poly1305Decrypter is a QuicDecrypter that implements the
 // AEAD_CHACHA20_POLY1305 algorithm specified in
-// draft-agl-tls-chacha20poly1305-04. Create an instance by calling
+// draft-agl-tls-chacha20poly1305-04, except that it truncates the Poly1305
+// authenticator to 12 bytes. Create an instance by calling
 // QuicDecrypter::Create(kCC12).
 //
 // It uses an authentication tag of 16 bytes (128 bits). There is no
@@ -19,7 +20,7 @@ namespace net {
 class NET_EXPORT_PRIVATE ChaCha20Poly1305Decrypter : public AeadBaseDecrypter {
  public:
   enum {
-    kAuthTagSize = 16,
+    kAuthTagSize = 12,
   };
 
   ChaCha20Poly1305Decrypter();
diff --git a/net/quic/crypto/chacha20_poly1305_decrypter_test.cc b/net/quic/crypto/chacha20_poly1305_decrypter_test.cc
index 8482e01cf5..1825187bb3 100644
--- a/net/quic/crypto/chacha20_poly1305_decrypter_test.cc
+++ b/net/quic/crypto/chacha20_poly1305_decrypter_test.cc
@@ -33,7 +33,7 @@ const TestVector test_vectors[] = {
         "0a1007",
     "cd7cf67be39c794a",
     "87e229d4500845a079c0",
-    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6",
+    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb28475",  // "3896e1d6" truncated.
     "86d09974840bded2a5ca"
   },
   // Modify the ciphertext (ChaCha20 encryption output).
@@ -41,7 +41,7 @@ const TestVector test_vectors[] = {
         "0a1007",
     "cd7cf67be39c794a",
     "87e229d4500845a079c0",
-    "f3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6",
+    "f3e446f7ede9a19b62a4677dabf4e3d24b876bb28475",  // "3896e1d6" truncated.
     NULL  // FAIL
   },
   // Modify the ciphertext (Poly1305 authenticator).
@@ -49,7 +49,7 @@ const TestVector test_vectors[] = {
         "0a1007",
     "cd7cf67be39c794a",
     "87e229d4500845a079c0",
-    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d7",
+    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb28476",  // "3896e1d6" truncated.
     NULL  // FAIL
   },
   // Modify the associated data.
@@ -57,7 +57,7 @@ const TestVector test_vectors[] = {
         "0a1007",
     "dd7cf67be39c794a",
     "87e229d4500845a079c0",
-    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6",
+    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb28475",  // "3896e1d6" truncated.
     NULL  // FAIL
   },
   { NULL }
diff --git a/net/quic/crypto/chacha20_poly1305_encrypter.h b/net/quic/crypto/chacha20_poly1305_encrypter.h
index 29ec3ef1a9..ed1102ce1e 100644
--- a/net/quic/crypto/chacha20_poly1305_encrypter.h
+++ b/net/quic/crypto/chacha20_poly1305_encrypter.h
@@ -11,7 +11,8 @@ namespace net {
 
 // A ChaCha20Poly1305Encrypter is a QuicEncrypter that implements the
 // AEAD_CHACHA20_POLY1305 algorithm specified in
-// draft-agl-tls-chacha20poly1305-04. Create an instance by calling
+// draft-agl-tls-chacha20poly1305-04, except that it truncates the Poly1305
+// authenticator to 12 bytes. Create an instance by calling
 // QuicEncrypter::Create(kCC12).
 //
 // It uses an authentication tag of 16 bytes (128 bits). There is no
@@ -19,7 +20,7 @@ namespace net {
 class NET_EXPORT_PRIVATE ChaCha20Poly1305Encrypter : public AeadBaseEncrypter {
  public:
   enum {
-    kAuthTagSize = 16,
+    kAuthTagSize = 12,
   };
 
   ChaCha20Poly1305Encrypter();
diff --git a/net/quic/crypto/chacha20_poly1305_encrypter_test.cc b/net/quic/crypto/chacha20_poly1305_encrypter_test.cc
index 6fa42593c4..0273b27933 100644
--- a/net/quic/crypto/chacha20_poly1305_encrypter_test.cc
+++ b/net/quic/crypto/chacha20_poly1305_encrypter_test.cc
@@ -29,7 +29,7 @@ const TestVector test_vectors[] = {
     "86d09974840bded2a5ca",
     "cd7cf67be39c794a",
     "87e229d4500845a079c0",
-    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6"
+    "e3e446f7ede9a19b62a4677dabf4e3d24b876bb28475"  // "3896e1d6" truncated.
   },
   { NULL }
 };
@@ -92,16 +92,16 @@ TEST(ChaCha20Poly1305EncrypterTest, Encrypt) {
 
 TEST(ChaCha20Poly1305EncrypterTest, GetMaxPlaintextSize) {
   ChaCha20Poly1305Encrypter encrypter;
-  EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1016));
-  EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(116));
-  EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(26));
+  EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1012));
+  EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(112));
+  EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(22));
 }
 
 TEST(ChaCha20Poly1305EncrypterTest, GetCiphertextSize) {
   ChaCha20Poly1305Encrypter encrypter;
-  EXPECT_EQ(1016u, encrypter.GetCiphertextSize(1000));
-  EXPECT_EQ(116u, encrypter.GetCiphertextSize(100));
-  EXPECT_EQ(26u, encrypter.GetCiphertextSize(10));
+  EXPECT_EQ(1012u, encrypter.GetCiphertextSize(1000));
+  EXPECT_EQ(112u, encrypter.GetCiphertextSize(100));
+  EXPECT_EQ(22u, encrypter.GetCiphertextSize(10));
 }
 
 }  // namespace test
diff --git a/net/quic/crypto/proof_test.cc b/net/quic/crypto/proof_test.cc
index df68dd04dd..377bc80839 100644
--- a/net/quic/crypto/proof_test.cc
+++ b/net/quic/crypto/proof_test.cc
@@ -24,74 +24,7 @@ using std::vector;
 
 namespace net {
 namespace test {
-
-TEST(ProofTest, Verify) {
-  // TODO(rtenneti): Enable testing of ProofVerifier.
-#if 0
-  scoped_ptr<ProofSource> source(CryptoTestUtils::ProofSourceForTesting());
-  scoped_ptr<ProofVerifier> verifier(
-      CryptoTestUtils::ProofVerifierForTesting());
-
-  const string server_config = "server config bytes";
-  const string hostname = "test.example.com";
-  const vector<string>* certs;
-  const vector<string>* first_certs;
-  string error_details, signature, first_signature;
-  CertVerifyResult cert_verify_result;
-
-  ASSERT_TRUE(source->GetProof(hostname, server_config, false /* no ECDSA */,
-                               &first_certs, &first_signature));
-  ASSERT_TRUE(source->GetProof(hostname, server_config, false /* no ECDSA */,
-                               &certs, &signature));
-
-  // Check that the proof source is caching correctly:
-  ASSERT_EQ(first_certs, certs);
-  ASSERT_EQ(signature, first_signature);
-
-  int rv;
-  TestCompletionCallback callback;
-  rv = verifier->VerifyProof(hostname, server_config, *certs, signature,
-                             &error_details, &cert_verify_result,
-                             callback.callback());
-  rv = callback.GetResult(rv);
-  ASSERT_EQ(OK, rv);
-  ASSERT_EQ("", error_details);
-  ASSERT_FALSE(IsCertStatusError(cert_verify_result.cert_status));
-
-  rv = verifier->VerifyProof("foo.com", server_config, *certs, signature,
-                             &error_details, &cert_verify_result,
-                             callback.callback());
-  rv = callback.GetResult(rv);
-  ASSERT_EQ(ERR_FAILED, rv);
-  ASSERT_NE("", error_details);
-
-  rv = verifier->VerifyProof(hostname, server_config.substr(1, string::npos),
-                             *certs, signature, &error_details,
-                             &cert_verify_result, callback.callback());
-  rv = callback.GetResult(rv);
-  ASSERT_EQ(ERR_FAILED, rv);
-  ASSERT_NE("", error_details);
-
-  const string corrupt_signature = "1" + signature;
-  rv = verifier->VerifyProof(hostname, server_config, *certs,
-                             corrupt_signature, &error_details,
-                             &cert_verify_result, callback.callback());
-  rv = callback.GetResult(rv);
-  ASSERT_EQ(ERR_FAILED, rv);
-  ASSERT_NE("", error_details);
-
-  vector<string> wrong_certs;
-  for (size_t i = 1; i < certs->size(); i++) {
-    wrong_certs.push_back((*certs)[i]);
-  }
-  rv = verifier->VerifyProof("foo.com", server_config, wrong_certs, signature,
-                             &error_details, &cert_verify_result,
-                             callback.callback());
-  rv = callback.GetResult(rv);
-  ASSERT_EQ(ERR_FAILED, rv);
-  ASSERT_NE("", error_details);
-#endif  // 0
-}
+namespace {
 
 // TestProofVerifierCallback is a simple callback for a ProofVerifier that
 // signals a TestCompletionCallback when called and stores the results from the
@@ -122,22 +55,24 @@ class TestProofVerifierCallback : public ProofVerifierCallback {
 
 // RunVerification runs |verifier->VerifyProof| and asserts that the result
 // matches |expected_ok|.
-static void RunVerification(ProofVerifier* verifier,
-                            const string& hostname,
-                            const string& server_config,
-                            const vector<string>& certs,
-                            const string& proof,
-                            bool expected_ok) {
+void RunVerification(ProofVerifier* verifier,
+                     const string& hostname,
+                     const string& server_config,
+                     const vector<string>& certs,
+                     const string& proof,
+                     bool expected_ok) {
   scoped_ptr<ProofVerifyDetails> details;
   TestCompletionCallback comp_callback;
   bool ok;
   string error_details;
+  scoped_ptr<ProofVerifyContext> verify_context(
+      CryptoTestUtils::ProofVerifyContextForTesting());
   TestProofVerifierCallback* callback =
       new TestProofVerifierCallback(&comp_callback, &ok, &error_details);
 
   ProofVerifier::Status status = verifier->VerifyProof(
-      hostname, server_config, certs, proof, &error_details, &details,
-      callback);
+      hostname, server_config, certs, proof, verify_context.get(),
+      &error_details, &details, callback);
 
   switch (status) {
     case ProofVerifier::FAILURE:
@@ -155,10 +90,12 @@ static void RunVerification(ProofVerifier* verifier,
   }
 }
 
-static string PEMCertFileToDER(const string& file_name) {
+// Reads the certificate named "quic_" + |file_name| in the test data directory.
+// The certificate must be PEM encoded. Returns the DER-encoded certificate.
+string LoadTestCert(const string& file_name) {
   base::FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
-      ImportCertFromFile(certs_dir, file_name);
+      ImportCertFromFile(certs_dir, "quic_" + file_name);
   CHECK_NE(static_cast<X509Certificate*>(NULL), cert);
 
   string der_bytes;
@@ -166,12 +103,58 @@ static string PEMCertFileToDER(const string& file_name) {
   return der_bytes;
 }
 
+}  // namespace
+
+// TODO(rtenneti): Enable testing of ProofVerifier.
+TEST(ProofTest, DISABLED_Verify) {
+  scoped_ptr<ProofSource> source(CryptoTestUtils::ProofSourceForTesting());
+  scoped_ptr<ProofVerifier> verifier(
+      CryptoTestUtils::ProofVerifierForTesting());
+
+  const string server_config = "server config bytes";
+  const string hostname = "test.example.com";
+  const vector<string>* certs;
+  const vector<string>* first_certs;
+  string error_details, signature, first_signature;
+
+  ASSERT_TRUE(source->GetProof(hostname, server_config, false /* no ECDSA */,
+                               &first_certs, &first_signature));
+  ASSERT_TRUE(source->GetProof(hostname, server_config, false /* no ECDSA */,
+                               &certs, &signature));
+
+  // Check that the proof source is caching correctly:
+  ASSERT_EQ(first_certs, certs);
+  ASSERT_EQ(signature, first_signature);
+
+  RunVerification(
+      verifier.get(), hostname, server_config, *certs, signature, true);
+
+  RunVerification(
+      verifier.get(), "foo.com", server_config, *certs, signature, false);
+
+  RunVerification(
+      verifier.get(), server_config.substr(1, string::npos), server_config,
+      *certs, signature, false);
+
+  const string corrupt_signature = "1" + signature;
+  RunVerification(
+      verifier.get(), hostname, server_config, *certs, corrupt_signature,
+      false);
+
+  vector<string> wrong_certs;
+  for (size_t i = 1; i < certs->size(); i++) {
+    wrong_certs.push_back((*certs)[i]);
+  }
+  RunVerification(
+      verifier.get(), "foo.com", server_config, wrong_certs, corrupt_signature,
+      false);
+}
+
 // A known answer test that allows us to test ProofVerifier without a working
 // ProofSource.
 TEST(ProofTest, VerifyRSAKnownAnswerTest) {
   // These sample signatures were generated by running the Proof.Verify test
   // and dumping the bytes of the |signature| output of ProofSource::GetProof().
-  // sLen = special value -2 used by OpenSSL.
   static const unsigned char signature_data_0[] = {
     0x31, 0xd5, 0xfb, 0x40, 0x30, 0x75, 0xd2, 0x7d, 0x61, 0xf9, 0xd7, 0x54,
     0x30, 0x06, 0xaf, 0x54, 0x0d, 0xb0, 0x0a, 0xda, 0x63, 0xca, 0x7e, 0x9e,
@@ -250,11 +233,10 @@ TEST(ProofTest, VerifyRSAKnownAnswerTest) {
 
   const string server_config = "server config bytes";
   const string hostname = "test.example.com";
-  CertVerifyResult cert_verify_result;
 
   vector<string> certs(2);
-  certs[0] = PEMCertFileToDER("quic_test.example.com.crt");
-  certs[1] = PEMCertFileToDER("quic_intermediate.crt");
+  certs[0] = LoadTestCert("test.example.com.crt");
+  certs[1] = LoadTestCert("intermediate.crt");
 
   // Signatures are nondeterministic, so we test multiple signatures on the
   // same server_config.
@@ -333,11 +315,10 @@ TEST(ProofTest, VerifyECDSAKnownAnswerTest) {
 
   const string server_config = "server config bytes";
   const string hostname = "test.example.com";
-  CertVerifyResult cert_verify_result;
 
   vector<string> certs(2);
-  certs[0] = PEMCertFileToDER("quic_test_ecc.example.com.crt");
-  certs[1] = PEMCertFileToDER("quic_intermediate.crt");
+  certs[0] = LoadTestCert("test_ecc.example.com.crt");
+  certs[1] = LoadTestCert("intermediate.crt");
 
   // Signatures are nondeterministic, so we test multiple signatures on the
   // same server_config.
diff --git a/net/quic/crypto/proof_verifier.cc b/net/quic/crypto/proof_verifier.cc
deleted file mode 100644
index 4132a31c31..0000000000
--- a/net/quic/crypto/proof_verifier.cc
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/quic/crypto/proof_verifier.h"
-
-namespace net {
-
-ProofVerifierCallback::~ProofVerifierCallback() {}
-
-ProofVerifier::~ProofVerifier() {}
-
-}  // namespace net
diff --git a/net/quic/crypto/proof_verifier.h b/net/quic/crypto/proof_verifier.h
index 3b47776130..0cbdb6a014 100644
--- a/net/quic/crypto/proof_verifier.h
+++ b/net/quic/crypto/proof_verifier.h
@@ -21,11 +21,18 @@ class NET_EXPORT_PRIVATE ProofVerifyDetails {
   virtual ~ProofVerifyDetails() {}
 };
 
+// ProofVerifyContext is an abstract class that acts as a container for any
+// implementation specific context that a ProofVerifier needs.
+class NET_EXPORT_PRIVATE ProofVerifyContext {
+ public:
+  virtual ~ProofVerifyContext() {}
+};
+
 // ProofVerifierCallback provides a generic mechanism for a ProofVerifier to
 // call back after an asynchronous verification.
 class NET_EXPORT_PRIVATE ProofVerifierCallback {
  public:
-  virtual ~ProofVerifierCallback();
+  virtual ~ProofVerifierCallback() {}
 
   // Run is called on the original thread to mark the completion of an
   // asynchonous verification. If |ok| is true then the certificate is valid
@@ -51,7 +58,7 @@ class NET_EXPORT_PRIVATE ProofVerifier {
     PENDING = 2,
   };
 
-  virtual ~ProofVerifier();
+  virtual ~ProofVerifier() {}
 
   // VerifyProof checks that |signature| is a valid signature of
   // |server_config| by the public key in the leaf certificate of |certs|, and
@@ -60,6 +67,10 @@ class NET_EXPORT_PRIVATE ProofVerifier {
   // description of the problem. In either case it may set |*details|, which the
   // caller takes ownership of.
   //
+  // |context| specifies an implementation specific struct (which may be NULL
+  // for some implementations) that provides useful information for the
+  // verifier, e.g. logging handles.
+  //
   // This function may also return PENDING, in which case the ProofVerifier
   // will call back, on the original thread, via |callback| when complete.
   // In this case, the ProofVerifier will take ownership of |callback|.
@@ -70,6 +81,7 @@ class NET_EXPORT_PRIVATE ProofVerifier {
                              const std::string& server_config,
                              const std::vector<std::string>& certs,
                              const std::string& signature,
+                             const ProofVerifyContext* context,
                              std::string* error_details,
                              scoped_ptr<ProofVerifyDetails>* details,
                              ProofVerifierCallback* callback) = 0;
diff --git a/net/quic/crypto/proof_verifier_chromium.cc b/net/quic/crypto/proof_verifier_chromium.cc
index 8584aedda7..fdb6a0d443 100644
--- a/net/quic/crypto/proof_verifier_chromium.cc
+++ b/net/quic/crypto/proof_verifier_chromium.cc
@@ -47,7 +47,7 @@ class ProofVerifierChromium::Job {
                      const std::vector<std::string>& certs,
                      const std::string& signature,
                      std::string* error_details,
-                     scoped_ptr<ProofVerifyDetails>* details,
+                     scoped_ptr<ProofVerifyDetails>* verify_details,
                      ProofVerifierCallback* callback);
 
  private:
@@ -104,10 +104,10 @@ ProofVerifierChromium::Status ProofVerifierChromium::Job::VerifyProof(
     const vector<string>& certs,
     const string& signature,
     std::string* error_details,
-    scoped_ptr<ProofVerifyDetails>* details,
+    scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
   DCHECK(error_details);
-  DCHECK(details);
+  DCHECK(verify_details);
   DCHECK(callback);
 
   callback_.reset(callback);
@@ -125,7 +125,7 @@ ProofVerifierChromium::Status ProofVerifierChromium::Job::VerifyProof(
     *error_details = "Failed to create certificate chain. Certs are empty.";
     DLOG(WARNING) << *error_details;
     verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
-    details->reset(verify_details_.release());
+    verify_details->reset(verify_details_.release());
     return FAILURE;
   }
 
@@ -139,7 +139,7 @@ ProofVerifierChromium::Status ProofVerifierChromium::Job::VerifyProof(
     *error_details = "Failed to create certificate chain";
     DLOG(WARNING) << *error_details;
     verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
-    details->reset(verify_details_.release());
+    verify_details->reset(verify_details_.release());
     return FAILURE;
   }
 
@@ -149,7 +149,7 @@ ProofVerifierChromium::Status ProofVerifierChromium::Job::VerifyProof(
     *error_details = "Failed to verify signature of server config";
     DLOG(WARNING) << *error_details;
     verify_details_->cert_verify_result.cert_status = CERT_STATUS_INVALID;
-    details->reset(verify_details_.release());
+    verify_details->reset(verify_details_.release());
     return FAILURE;
   }
 
@@ -158,13 +158,13 @@ ProofVerifierChromium::Status ProofVerifierChromium::Job::VerifyProof(
   next_state_ = STATE_VERIFY_CERT;
   switch (DoLoop(OK)) {
     case OK:
-      details->reset(verify_details_.release());
+      verify_details->reset(verify_details_.release());
       return SUCCESS;
     case ERR_IO_PENDING:
       return PENDING;
     default:
       *error_details = error_details_;
-      details->reset(verify_details_.release());
+      verify_details->reset(verify_details_.release());
       return FAILURE;
   }
 }
@@ -310,11 +310,8 @@ bool ProofVerifierChromium::Job::VerifySignature(const string& signed_data,
   return true;
 }
 
-ProofVerifierChromium::ProofVerifierChromium(CertVerifier* cert_verifier,
-                                             const BoundNetLog& net_log)
-  : cert_verifier_(cert_verifier),
-    net_log_(net_log) {
-}
+ProofVerifierChromium::ProofVerifierChromium(CertVerifier* cert_verifier)
+    : cert_verifier_(cert_verifier) {}
 
 ProofVerifierChromium::~ProofVerifierChromium() {
   STLDeleteElements(&active_jobs_);
@@ -325,12 +322,19 @@ ProofVerifierChromium::Status ProofVerifierChromium::VerifyProof(
     const std::string& server_config,
     const std::vector<std::string>& certs,
     const std::string& signature,
+    const ProofVerifyContext* verify_context,
     std::string* error_details,
-    scoped_ptr<ProofVerifyDetails>* details,
+    scoped_ptr<ProofVerifyDetails>* verify_details,
     ProofVerifierCallback* callback) {
-  scoped_ptr<Job> job(new Job(this, cert_verifier_, net_log_));
+  if (!verify_context) {
+    *error_details = "Missing context";
+    return FAILURE;
+  }
+  const ProofVerifyContextChromium* chromium_context =
+      reinterpret_cast<const ProofVerifyContextChromium*>(verify_context);
+  scoped_ptr<Job> job(new Job(this, cert_verifier_, chromium_context->net_log));
   Status status = job->VerifyProof(hostname, server_config, certs, signature,
-                                   error_details, details, callback);
+                                   error_details, verify_details, callback);
   if (status == PENDING) {
     active_jobs_.insert(job.release());
   }
diff --git a/net/quic/crypto/proof_verifier_chromium.h b/net/quic/crypto/proof_verifier_chromium.h
index 7f695e678e..ebf9a2c41c 100644
--- a/net/quic/crypto/proof_verifier_chromium.h
+++ b/net/quic/crypto/proof_verifier_chromium.h
@@ -15,6 +15,7 @@
 #include "net/base/net_export.h"
 #include "net/base/net_log.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/x509_certificate.h"
 #include "net/quic/crypto/proof_verifier.h"
 
 namespace net {
@@ -29,12 +30,21 @@ struct ProofVerifyDetailsChromium : public ProofVerifyDetails {
   CertVerifyResult cert_verify_result;
 };
 
+// ProofVerifyContextChromium is the implementation-specific information that a
+// ProofVerifierChromium needs in order to log correctly.
+struct ProofVerifyContextChromium : public ProofVerifyContext {
+ public:
+  explicit ProofVerifyContextChromium(const BoundNetLog& net_log)
+      : net_log(net_log) {}
+
+  BoundNetLog net_log;
+};
+
 // ProofVerifierChromium implements the QUIC ProofVerifier interface.  It is
 // capable of handling multiple simultaneous requests.
 class NET_EXPORT_PRIVATE ProofVerifierChromium : public ProofVerifier {
  public:
-  ProofVerifierChromium(CertVerifier* cert_verifier,
-                        const BoundNetLog& net_log);
+  explicit ProofVerifierChromium(CertVerifier* cert_verifier);
   virtual ~ProofVerifierChromium();
 
   // ProofVerifier interface
@@ -42,8 +52,9 @@ class NET_EXPORT_PRIVATE ProofVerifierChromium : public ProofVerifier {
                              const std::string& server_config,
                              const std::vector<std::string>& certs,
                              const std::string& signature,
+                             const ProofVerifyContext* verify_context,
                              std::string* error_details,
-                             scoped_ptr<ProofVerifyDetails>* details,
+                             scoped_ptr<ProofVerifyDetails>* verify_details,
                              ProofVerifierCallback* callback) OVERRIDE;
 
  private:
@@ -58,8 +69,6 @@ class NET_EXPORT_PRIVATE ProofVerifierChromium : public ProofVerifier {
   // Underlying verifier used to verify certificates.
   CertVerifier* const cert_verifier_;
 
-  BoundNetLog net_log_;
-
   DISALLOW_COPY_AND_ASSIGN(ProofVerifierChromium);
 };
 
diff --git a/net/quic/crypto/quic_crypto_client_config.cc b/net/quic/crypto/quic_crypto_client_config.cc
index 0fa78a4b91..8f34745cd1 100644
--- a/net/quic/crypto/quic_crypto_client_config.cc
+++ b/net/quic/crypto/quic_crypto_client_config.cc
@@ -5,7 +5,9 @@
 #include "net/quic/crypto/quic_crypto_client_config.h"
 
 #include "base/stl_util.h"
+#include "base/strings/string_util.h"
 #include "net/quic/crypto/cert_compressor.h"
+#include "net/quic/crypto/chacha20_poly1305_encrypter.h"
 #include "net/quic/crypto/channel_id.h"
 #include "net/quic/crypto/common_cert_set.h"
 #include "net/quic/crypto/crypto_framer.h"
@@ -18,11 +20,8 @@
 #include "net/quic/quic_session_key.h"
 #include "net/quic/quic_utils.h"
 
-#if defined(OS_WIN)
-#include "base/win/windows_version.h"
-#endif
-
 using base::StringPiece;
+using std::find;
 using std::make_pair;
 using std::map;
 using std::string;
@@ -30,7 +29,8 @@ using std::vector;
 
 namespace net {
 
-QuicCryptoClientConfig::QuicCryptoClientConfig() {}
+QuicCryptoClientConfig::QuicCryptoClientConfig()
+    : disable_ecdsa_(false) {}
 
 QuicCryptoClientConfig::~QuicCryptoClientConfig() {
   STLDeleteValues(&cached_states_);
@@ -249,26 +249,31 @@ void QuicCryptoClientConfig::SetDefaults() {
   kexs[0] = kC255;
   kexs[1] = kP256;
 
-  // Authenticated encryption algorithms.
-  aead.resize(1);
-  aead[0] = kAESG;
+  // Authenticated encryption algorithms. Prefer ChaCha20 by default.
+  aead.clear();
+  if (ChaCha20Poly1305Encrypter::IsSupported()) {
+    aead.push_back(kCC12);
+  }
+  aead.push_back(kAESG);
+
+  disable_ecdsa_ = false;
 }
 
 QuicCryptoClientConfig::CachedState* QuicCryptoClientConfig::LookupOrCreate(
     const QuicSessionKey& server_key) {
-  map<QuicSessionKey, CachedState*>::const_iterator it =
-      cached_states_.find(server_key);
+  CachedStateMap::const_iterator it = cached_states_.find(server_key);
   if (it != cached_states_.end()) {
     return it->second;
   }
 
   CachedState* cached = new CachedState;
   cached_states_.insert(make_pair(server_key, cached));
+  PopulateFromCanonicalConfig(server_key, cached);
   return cached;
 }
 
 void QuicCryptoClientConfig::FillInchoateClientHello(
-    const string& server_hostname,
+    const QuicSessionKey& server_key,
     const QuicVersion preferred_version,
     const CachedState* cached,
     QuicCryptoNegotiatedParameters* out_params,
@@ -278,8 +283,8 @@ void QuicCryptoClientConfig::FillInchoateClientHello(
 
   // Server name indication. We only send SNI if it's a valid domain name, as
   // per the spec.
-  if (CryptoUtils::IsValidSNI(server_hostname)) {
-    out->SetStringPiece(kSNI, server_hostname);
+  if (CryptoUtils::IsValidSNI(server_key.host())) {
+    out->SetStringPiece(kSNI, server_key.host());
   }
   out->SetValue(kVER, QuicVersionToQuicTag(preferred_version));
 
@@ -287,15 +292,8 @@ void QuicCryptoClientConfig::FillInchoateClientHello(
     out->SetStringPiece(kSourceAddressTokenTag, cached->source_address_token());
   }
 
-  if (proof_verifier_.get()) {
-    // Don't request ECDSA proofs on platforms that do not support ECDSA
-    // certificates.
-    bool disableECDSA = false;
-#if defined(OS_WIN)
-    if (base::win::GetVersion() < base::win::VERSION_VISTA)
-      disableECDSA = true;
-#endif
-    if (disableECDSA) {
+  if (server_key.is_https()) {
+    if (disable_ecdsa_) {
       out->SetTaglist(kPDMD, kX59R, 0);
     } else {
       out->SetTaglist(kPDMD, kX509, 0);
@@ -324,7 +322,7 @@ void QuicCryptoClientConfig::FillInchoateClientHello(
 }
 
 QuicErrorCode QuicCryptoClientConfig::FillClientHello(
-    const string& server_hostname,
+    const QuicSessionKey& server_key,
     QuicConnectionId connection_id,
     const QuicVersion preferred_version,
     const CachedState* cached,
@@ -335,7 +333,7 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
     string* error_details) const {
   DCHECK(error_details != NULL);
 
-  FillInchoateClientHello(server_hostname, preferred_version, cached,
+  FillInchoateClientHello(server_key, preferred_version, cached,
                           out_params, out);
 
   const CryptoHandshakeMessage* scfg = cached->GetServerConfig();
@@ -364,13 +362,18 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
     return QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER;
   }
 
+  // AEAD: the work loads on the client and server are symmetric. Since the
+  // client is more likely to be CPU-constrained, break the tie by favoring
+  // the client's preference.
+  // Key exchange: the client does more work than the server, so favor the
+  // client's preference.
   size_t key_exchange_index;
   if (!QuicUtils::FindMutualTag(
-          aead, their_aeads, num_their_aeads, QuicUtils::PEER_PRIORITY,
+          aead, their_aeads, num_their_aeads, QuicUtils::LOCAL_PRIORITY,
           &out_params->aead, NULL) ||
       !QuicUtils::FindMutualTag(
           kexs, their_key_exchanges, num_their_key_exchanges,
-          QuicUtils::PEER_PRIORITY, &out_params->key_exchange,
+          QuicUtils::LOCAL_PRIORITY, &out_params->key_exchange,
           &key_exchange_index)) {
     *error_details = "Unsupported AEAD or KEXS";
     return QUIC_CRYPTO_NO_SUPPORT;
@@ -455,7 +458,7 @@ QuicErrorCode QuicCryptoClientConfig::FillClientHello(
     hkdf_input.append(cached->server_config());
 
     string key, signature;
-    if (!channel_id_signer_->Sign(server_hostname, hkdf_input,
+    if (!channel_id_signer_->Sign(server_key.host(), hkdf_input,
                                   &key, &signature)) {
       *error_details = "Channel ID signature failed";
       return QUIC_INVALID_CHANNEL_ID_SIGNATURE;
@@ -680,4 +683,60 @@ void QuicCryptoClientConfig::InitializeFrom(
   cached->InitializeFrom(*canonical_cached);
 }
 
+void QuicCryptoClientConfig::AddCanonicalSuffix(const string& suffix) {
+  canoncial_suffixes_.push_back(suffix);
+}
+
+void QuicCryptoClientConfig::PreferAesGcm() {
+  DCHECK(!aead.empty());
+  if (aead.size() <= 1) {
+    return;
+  }
+  QuicTagVector::iterator pos = find(aead.begin(), aead.end(), kAESG);
+  if (pos != aead.end()) {
+    aead.erase(pos);
+    aead.insert(aead.begin(), kAESG);
+  }
+}
+
+void QuicCryptoClientConfig::DisableEcdsa() {
+  disable_ecdsa_ = true;
+}
+
+void QuicCryptoClientConfig::PopulateFromCanonicalConfig(
+    const QuicSessionKey& server_key,
+    CachedState* server_state) {
+  DCHECK(server_state->IsEmpty());
+  unsigned i = 0;
+  for (; i < canoncial_suffixes_.size(); ++i) {
+    if (EndsWith(server_key.host(), canoncial_suffixes_[i], false)) {
+      break;
+    }
+  }
+  if (i == canoncial_suffixes_.size())
+    return;
+
+  QuicSessionKey suffix_server_key(canoncial_suffixes_[i], server_key.port(),
+                                   server_key.is_https(),
+                                   server_key.privacy_mode());
+  if (!ContainsKey(canonical_server_map_, suffix_server_key)) {
+    // This is the first host we've seen which matches the suffix, so make it
+    // canonical.
+    canonical_server_map_[suffix_server_key] = server_key;
+    return;
+  }
+
+  const QuicSessionKey& canonical_server_key =
+      canonical_server_map_[suffix_server_key];
+  CachedState* canonical_state = cached_states_[canonical_server_key];
+  if (!canonical_state->proof_valid()) {
+    return;
+  }
+
+  // Update canonical version to point at the "most recent" entry.
+  canonical_server_map_[suffix_server_key] = server_key;
+
+  server_state->InitializeFrom(*canonical_state);
+}
+
 }  // namespace net
diff --git a/net/quic/crypto/quic_crypto_client_config.h b/net/quic/crypto/quic_crypto_client_config.h
index f2e8649bb1..d6ce2e4c4a 100644
--- a/net/quic/crypto/quic_crypto_client_config.h
+++ b/net/quic/crypto/quic_crypto_client_config.h
@@ -143,7 +143,7 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
   // |out_params->cached_certs|. |preferred_version| is the version of the
   // QUIC protocol that this client chose to use initially. This allows the
   // server to detect downgrade attacks.
-  void FillInchoateClientHello(const std::string& server_hostname,
+  void FillInchoateClientHello(const QuicSessionKey& server_key,
                                const QuicVersion preferred_version,
                                const CachedState* cached,
                                QuicCryptoNegotiatedParameters* out_params,
@@ -151,7 +151,7 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
 
   // FillClientHello sets |out| to be a CHLO message based on the configuration
   // of this object. This object must have cached enough information about
-  // |server_hostname| in order to perform a handshake. This can be checked
+  // the server's hostname in order to perform a handshake. This can be checked
   // with the |IsComplete| member of |CachedState|.
   //
   // |clock| and |rand| are used to generate the nonce and |out_params| is
@@ -159,7 +159,7 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
   // accept. |preferred_version| is the version of the QUIC protocol that this
   // client chose to use initially. This allows the server to detect downgrade
   // attacks.
-  QuicErrorCode FillClientHello(const std::string& server_hostname,
+  QuicErrorCode FillClientHello(const QuicSessionKey& server_key,
                                 QuicConnectionId connection_id,
                                 const QuicVersion preferred_version,
                                 const CachedState* cached,
@@ -218,14 +218,51 @@ class NET_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
                       const QuicSessionKey& canonical_server_key,
                       QuicCryptoClientConfig* canonical_crypto_config);
 
+  // Adds |suffix| as a domain suffix for which the server's crypto config
+  // is expected to be shared among servers with the domain suffix. If a server
+  // matches this suffix, then the server config from another server with the
+  // suffix will be used to initialize the cached state for this server.
+  void AddCanonicalSuffix(const std::string& suffix);
+
+  // Prefers AES-GCM (kAESG) over other AEAD algorithms. Call this method if
+  // the CPU has hardware acceleration for AES-GCM. This method can only be
+  // called after SetDefaults().
+  void PreferAesGcm();
+
+  // Disables the use of ECDSA for proof verification.
+  // Call this method on platforms that do not support ECDSA.
+  // TODO(rch): remove this method when we drop support for Windows XP.
+  void DisableEcdsa();
+
  private:
+  typedef std::map<QuicSessionKey, CachedState*> CachedStateMap;
+
+  // If the suffix of the hostname in |server_key| is in |canoncial_suffixes_|,
+  // then populate |cached| with the canonical cached state from
+  // |canonical_server_map_| for that suffix.
+  void PopulateFromCanonicalConfig(const QuicSessionKey& server_key,
+                                   CachedState* cached);
+
   // cached_states_ maps from the server_key to the cached information about
   // that server.
-  std::map<QuicSessionKey, CachedState*> cached_states_;
+  CachedStateMap cached_states_;
+
+  // Contains a map of servers which could share the same server config. Map
+  // from a canonical host suffix/port/scheme to a representative server with
+  // the canonical suffix, which has a plausible set of initial certificates
+  // (or at least server public key).
+  std::map<QuicSessionKey, QuicSessionKey> canonical_server_map_;
+
+  // Contains list of suffixes (for exmaple ".c.youtube.com",
+  // ".googlevideo.com") of canoncial hostnames.
+  std::vector<std::string> canoncial_suffixes_;
 
   scoped_ptr<ProofVerifier> proof_verifier_;
   scoped_ptr<ChannelIDSigner> channel_id_signer_;
 
+  // True if ECDSA should be disabled.
+  bool disable_ecdsa_;
+
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientConfig);
 };
 
diff --git a/net/quic/crypto/quic_crypto_client_config_test.cc b/net/quic/crypto/quic_crypto_client_config_test.cc
index d151e0c329..b74a37a921 100644
--- a/net/quic/crypto/quic_crypto_client_config_test.cc
+++ b/net/quic/crypto/quic_crypto_client_config_test.cc
@@ -56,7 +56,8 @@ TEST(QuicCryptoClientConfigTest, InchoateChlo) {
   QuicCryptoClientConfig config;
   QuicCryptoNegotiatedParameters params;
   CryptoHandshakeMessage msg;
-  config.FillInchoateClientHello("www.google.com", QuicVersionMax(), &state,
+  QuicSessionKey server_key("www.google.com", 80, false, kPrivacyModeDisabled);
+  config.FillInchoateClientHello(server_key, QuicVersionMax(), &state,
                                  &params, &msg);
 
   QuicTag cver;
@@ -64,6 +65,44 @@ TEST(QuicCryptoClientConfigTest, InchoateChlo) {
   EXPECT_EQ(QuicVersionToQuicTag(QuicVersionMax()), cver);
 }
 
+TEST(QuicCryptoClientConfigTest, PreferAesGcm) {
+  QuicCryptoClientConfig config;
+  config.SetDefaults();
+  if (config.aead.size() > 1)
+    EXPECT_NE(kAESG, config.aead[0]);
+  config.PreferAesGcm();
+  EXPECT_EQ(kAESG, config.aead[0]);
+}
+
+TEST(QuicCryptoClientConfigTest, InchoateChloSecure) {
+  QuicCryptoClientConfig::CachedState state;
+  QuicCryptoClientConfig config;
+  QuicCryptoNegotiatedParameters params;
+  CryptoHandshakeMessage msg;
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  config.FillInchoateClientHello(server_key, QuicVersionMax(), &state,
+                                 &params, &msg);
+
+  QuicTag pdmd;
+  EXPECT_EQ(QUIC_NO_ERROR, msg.GetUint32(kPDMD, &pdmd));
+  EXPECT_EQ(kX509, pdmd);
+}
+
+TEST(QuicCryptoClientConfigTest, InchoateChloSecureNoEcdsa) {
+  QuicCryptoClientConfig::CachedState state;
+  QuicCryptoClientConfig config;
+  config.DisableEcdsa();
+  QuicCryptoNegotiatedParameters params;
+  CryptoHandshakeMessage msg;
+  QuicSessionKey server_key("www.google.com", 443, true, kPrivacyModeDisabled);
+  config.FillInchoateClientHello(server_key, QuicVersionMax(), &state,
+                                 &params, &msg);
+
+  QuicTag pdmd;
+  EXPECT_EQ(QUIC_NO_ERROR, msg.GetUint32(kPDMD, &pdmd));
+  EXPECT_EQ(kX59R, pdmd);
+}
+
 TEST(QuicCryptoClientConfigTest, ProcessServerDowngradeAttack) {
   QuicVersionVector supported_versions = QuicSupportedVersions();
   if (supported_versions.size() == 1) {
@@ -91,14 +130,15 @@ TEST(QuicCryptoClientConfigTest, ProcessServerDowngradeAttack) {
 
 TEST(QuicCryptoClientConfigTest, InitializeFrom) {
   QuicCryptoClientConfig config;
-  QuicSessionKey canonical_key1("www.google.com", 80, false);
+  QuicSessionKey canonical_key1("www.google.com", 80, false,
+                                kPrivacyModeDisabled);
   QuicCryptoClientConfig::CachedState* state =
       config.LookupOrCreate(canonical_key1);
   // TODO(rch): Populate other fields of |state|.
   state->set_source_address_token("TOKEN");
   state->SetProofValid();
 
-  QuicSessionKey other_key("mail.google.com", 80, false);
+  QuicSessionKey other_key("mail.google.com", 80, false, kPrivacyModeDisabled);
   config.InitializeFrom(other_key, canonical_key1, &config);
   QuicCryptoClientConfig::CachedState* other = config.LookupOrCreate(other_key);
 
diff --git a/net/quic/crypto/quic_crypto_server_config.cc b/net/quic/crypto/quic_crypto_server_config.cc
index 52e338b184..9d60c5f7d9 100644
--- a/net/quic/crypto/quic_crypto_server_config.cc
+++ b/net/quic/crypto/quic_crypto_server_config.cc
@@ -15,6 +15,7 @@
 #include "net/quic/crypto/aes_128_gcm_12_decrypter.h"
 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h"
 #include "net/quic/crypto/cert_compressor.h"
+#include "net/quic/crypto/chacha20_poly1305_encrypter.h"
 #include "net/quic/crypto/channel_id.h"
 #include "net/quic/crypto/crypto_framer.h"
 #include "net/quic/crypto/crypto_server_config_protobuf.h"
@@ -241,7 +242,11 @@ QuicServerConfigProtobuf* QuicCryptoServerConfig::GenerateConfig(
   } else {
     msg.SetTaglist(kKEXS, kC255, 0);
   }
-  msg.SetTaglist(kAEAD, kAESG, 0);
+  if (ChaCha20Poly1305Encrypter::IsSupported()) {
+    msg.SetTaglist(kAEAD, kAESG, kCC12, 0);
+  } else {
+    msg.SetTaglist(kAEAD, kAESG, 0);
+  }
   msg.SetStringPiece(kPUBS, encoded_public_values);
 
   if (options.expiry_time.IsZero()) {
diff --git a/net/quic/quic_client_session.cc b/net/quic/quic_client_session.cc
index 865c9b06cd..7dd913545d 100644
--- a/net/quic/quic_client_session.cc
+++ b/net/quic/quic_client_session.cc
@@ -28,6 +28,34 @@ namespace net {
 
 namespace {
 
+// Histograms for tracking down the crashes from http://crbug.com/354669
+// Note: these values must be kept in sync with the corresponding values in:
+// tools/metrics/histograms/histograms.xml
+enum Location {
+  DESTRUCTOR = 0,
+  ADD_OBSERVER = 1,
+  TRY_CREATE_STREAM = 2,
+  CREATE_OUTGOING_RELIABLE_STREAM = 3,
+  NOTIFY_FACTORY_OF_SESSION_CLOSED_LATER = 4,
+  NOTIFY_FACTORY_OF_SESSION_CLOSED = 5,
+  NUM_LOCATIONS = 6,
+};
+
+void RecordUnexpectedOpenStreams(Location location) {
+  UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.UnexpectedOpenStreams", location,
+                            NUM_LOCATIONS);
+}
+
+void RecordUnexpectedObservers(Location location) {
+  UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.UnexpectedObservers", location,
+                            NUM_LOCATIONS);
+}
+
+void RecordUnexpectedNotGoingAway(Location location) {
+  UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.UnexpectedNotGoingAway", location,
+                            NUM_LOCATIONS);
+}
+
 // Note: these values must be kept in sync with the corresponding values in:
 // tools/metrics/histograms/histograms.xml
 enum HandshakeState {
@@ -95,7 +123,7 @@ QuicClientSession::QuicClientSession(
     const QuicConfig& config,
     QuicCryptoClientConfig* crypto_config,
     NetLog* net_log)
-    : QuicSession(connection, config),
+    : QuicClientSessionBase(connection, config),
       require_confirmation_(false),
       stream_factory_(stream_factory),
       socket_(socket.Pass()),
@@ -107,12 +135,15 @@ QuicClientSession::QuicClientSession(
       net_log_(BoundNetLog::Make(net_log, NetLog::SOURCE_QUIC_SESSION)),
       logger_(net_log_),
       num_packets_read_(0),
+      going_away_(false),
       weak_factory_(this) {
   crypto_stream_.reset(
       crypto_client_stream_factory ?
           crypto_client_stream_factory->CreateQuicCryptoClientStream(
               server_key, this, crypto_config) :
-          new QuicCryptoClientStream(server_key, this, this, crypto_config));
+          new QuicCryptoClientStream(server_key, this,
+                                     new ProofVerifyContextChromium(net_log_),
+                                     crypto_config));
 
   connection->set_debug_visitor(&logger_);
   // TODO(rch): pass in full host port proxy pair
@@ -122,6 +153,13 @@ QuicClientSession::QuicClientSession(
 }
 
 QuicClientSession::~QuicClientSession() {
+  if (!streams()->empty())
+    RecordUnexpectedOpenStreams(DESTRUCTOR);
+  if (!observers_.empty())
+    RecordUnexpectedObservers(DESTRUCTOR);
+  if (!going_away_)
+    RecordUnexpectedNotGoingAway(DESTRUCTOR);
+
   // The session must be closed before it is destroyed.
   DCHECK(streams()->empty());
   CloseAllStreams(ERR_UNEXPECTED);
@@ -200,6 +238,9 @@ bool QuicClientSession::OnStreamFrames(
 }
 
 void QuicClientSession::AddObserver(Observer* observer) {
+  if (going_away_)
+    RecordUnexpectedObservers(ADD_OBSERVER);
+
   DCHECK(!ContainsKey(observers_, observer));
   observers_.insert(observer);
 }
@@ -226,6 +267,11 @@ int QuicClientSession::TryCreateStream(StreamRequest* request,
     return ERR_CONNECTION_CLOSED;
   }
 
+  if (going_away_) {
+    RecordUnexpectedOpenStreams(TRY_CREATE_STREAM);
+    return ERR_CONNECTION_CLOSED;
+  }
+
   if (GetNumOpenStreams() < get_max_open_streams()) {
     *stream = CreateOutgoingReliableStreamImpl();
     return OK;
@@ -260,7 +306,10 @@ QuicReliableClientStream* QuicClientSession::CreateOutgoingDataStream() {
                << "Already received goaway.";
     return NULL;
   }
-
+  if (going_away_) {
+    RecordUnexpectedOpenStreams(CREATE_OUTGOING_RELIABLE_STREAM);
+    return NULL;
+  }
   return CreateOutgoingReliableStreamImpl();
 }
 
@@ -376,6 +425,7 @@ void QuicClientSession::OnClosedStream() {
       !stream_requests_.empty() &&
       crypto_stream_->encryption_established() &&
       !goaway_received() &&
+      !going_away_ &&
       connection()->connected()) {
     StreamRequest* request = stream_requests_.front();
     stream_requests_.pop_front();
@@ -616,11 +666,19 @@ void QuicClientSession::OnReadComplete(int result) {
 }
 
 void QuicClientSession::NotifyFactoryOfSessionGoingAway() {
+  going_away_ = true;
   if (stream_factory_)
     stream_factory_->OnSessionGoingAway(this);
 }
 
 void QuicClientSession::NotifyFactoryOfSessionClosedLater() {
+  if (!streams()->empty())
+    RecordUnexpectedOpenStreams(NOTIFY_FACTORY_OF_SESSION_CLOSED_LATER);
+
+  if (!going_away_)
+    RecordUnexpectedNotGoingAway(NOTIFY_FACTORY_OF_SESSION_CLOSED_LATER);
+
+  going_away_ = true;
   DCHECK_EQ(0u, GetNumOpenStreams());
   DCHECK(!connection()->connected());
   base::MessageLoop::current()->PostTask(
@@ -630,6 +688,13 @@ void QuicClientSession::NotifyFactoryOfSessionClosedLater() {
 }
 
 void QuicClientSession::NotifyFactoryOfSessionClosed() {
+  if (!streams()->empty())
+    RecordUnexpectedOpenStreams(NOTIFY_FACTORY_OF_SESSION_CLOSED);
+
+  if (!going_away_)
+    RecordUnexpectedNotGoingAway(NOTIFY_FACTORY_OF_SESSION_CLOSED);
+
+  going_away_ = true;
   DCHECK_EQ(0u, GetNumOpenStreams());
   // Will delete |this|.
   if (stream_factory_)
diff --git a/net/quic/quic_client_session.h b/net/quic/quic_client_session.h
index f9d3b7fc6e..801ad07ba5 100644
--- a/net/quic/quic_client_session.h
+++ b/net/quic/quic_client_session.h
@@ -17,11 +17,11 @@
 #include "base/memory/scoped_ptr.h"
 #include "net/base/completion_callback.h"
 #include "net/proxy/proxy_server.h"
+#include "net/quic/quic_client_session_base.h"
 #include "net/quic/quic_connection_logger.h"
 #include "net/quic/quic_crypto_client_stream.h"
 #include "net/quic/quic_protocol.h"
 #include "net/quic/quic_reliable_client_stream.h"
-#include "net/quic/quic_session.h"
 
 namespace net {
 
@@ -39,9 +39,7 @@ namespace test {
 class QuicClientSessionPeer;
 }  // namespace test
 
-class NET_EXPORT_PRIVATE QuicClientSession :
-      public QuicSession,
-      public QuicCryptoClientStream::Visitor {
+class NET_EXPORT_PRIVATE QuicClientSession : public QuicClientSessionBase {
  public:
   // An interface for observing events on a session.
   class NET_EXPORT_PRIVATE Observer {
@@ -136,7 +134,7 @@ class NET_EXPORT_PRIVATE QuicClientSession :
       const CryptoHandshakeMessage& message) OVERRIDE;
   virtual bool GetSSLInfo(SSLInfo* ssl_info) const OVERRIDE;
 
-  // QuicCryptoClientStream::Visitor methods:
+  // QuicClientSessionBase methods:
   virtual void OnProofValid(
       const QuicCryptoClientConfig::CachedState& cached) OVERRIDE;
   virtual void OnProofVerifyDetailsAvailable(
@@ -232,6 +230,9 @@ class NET_EXPORT_PRIVATE QuicClientSession :
   QuicConnectionLogger logger_;
   // Number of packets read in the current read loop.
   size_t num_packets_read_;
+  // True when the session is going away, and streams may no longer be created
+  // on this session. Existing stream will continue to be processed.
+  bool going_away_;
   base::WeakPtrFactory<QuicClientSession> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicClientSession);
diff --git a/net/quic/quic_client_session_base.cc b/net/quic/quic_client_session_base.cc
new file mode 100644
index 0000000000..b9cbaff07c
--- /dev/null
+++ b/net/quic/quic_client_session_base.cc
@@ -0,0 +1,15 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/quic/quic_client_session_base.h"
+
+namespace net {
+
+QuicClientSessionBase::QuicClientSessionBase(QuicConnection* connection,
+                                             const QuicConfig& config)
+    : QuicSession(connection, config) {}
+
+QuicClientSessionBase::~QuicClientSessionBase() {}
+
+}  // namespace net
diff --git a/net/quic/quic_client_session_base.h b/net/quic/quic_client_session_base.h
new file mode 100644
index 0000000000..eab5d08df9
--- /dev/null
+++ b/net/quic/quic_client_session_base.h
@@ -0,0 +1,41 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_QUIC_CLIENT_SESSION_BASE_H_
+#define NET_QUIC_QUIC_CLIENT_SESSION_BASE_H_
+
+#include "net/quic/quic_crypto_client_stream.h"
+#include "net/quic/quic_session.h"
+
+namespace net {
+
+// Base class for all client-specific QuicSession subclasses.
+class NET_EXPORT_PRIVATE QuicClientSessionBase : public QuicSession {
+ public:
+  QuicClientSessionBase(QuicConnection* connection,
+                        const QuicConfig& config);
+
+  virtual ~QuicClientSessionBase();
+
+  // Called when the proof in |cached| is marked valid.  If this is a secure
+  // QUIC session, then this will happen only after the proof verifier
+  // completes.  If this is an insecure QUIC connection, this will happen
+  // as soon as a valid config is discovered (either from the cache or
+  // from the server).
+  virtual void OnProofValid(
+      const QuicCryptoClientConfig::CachedState& cached) = 0;
+
+  // Called when proof verification details become available, either because
+  // proof verification is complete, or when cached details are used. This
+  // will only be called for secure QUIC connections.
+  virtual void OnProofVerifyDetailsAvailable(
+      const ProofVerifyDetails& verify_details) = 0;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(QuicClientSessionBase);
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_QUIC_CLIENT_SESSION_BASE_H_
diff --git a/net/quic/quic_client_session_test.cc b/net/quic/quic_client_session_test.cc
index 87e338104d..3c8d933eba 100644
--- a/net/quic/quic_client_session_test.cc
+++ b/net/quic/quic_client_session_test.cc
@@ -70,7 +70,8 @@ class QuicClientSessionTest : public ::testing::TestWithParam<QuicVersion> {
             new PacketSavingConnection(false, SupportedVersions(GetParam()))),
         session_(connection_, GetSocket().Pass(), writer_.Pass(), NULL, NULL,
                  make_scoped_ptr((QuicServerInfo*)NULL),
-                 QuicSessionKey(kServerHostname, kServerPort, false),
+                 QuicSessionKey(kServerHostname, kServerPort, false,
+                                kPrivacyModeDisabled),
                  DefaultQuicConfig(), &crypto_config_, &net_log_) {
     session_.config()->SetDefaults();
     crypto_config_.SetDefaults();
diff --git a/net/quic/quic_crypto_client_stream.cc b/net/quic/quic_crypto_client_stream.cc
index 8c574fe9df..d71a097d76 100644
--- a/net/quic/quic_crypto_client_stream.cc
+++ b/net/quic/quic_crypto_client_stream.cc
@@ -8,8 +8,8 @@
 #include "net/quic/crypto/crypto_utils.h"
 #include "net/quic/crypto/null_encrypter.h"
 #include "net/quic/crypto/proof_verifier.h"
+#include "net/quic/quic_client_session_base.h"
 #include "net/quic/quic_protocol.h"
-#include "net/quic/quic_session.h"
 
 namespace net {
 
@@ -44,17 +44,17 @@ void QuicCryptoClientStream::ProofVerifierCallbackImpl::Cancel() {
 
 QuicCryptoClientStream::QuicCryptoClientStream(
     const QuicSessionKey& server_key,
-    QuicSession* session,
-    Visitor* visitor,
+    QuicClientSessionBase* session,
+    ProofVerifyContext* verify_context,
     QuicCryptoClientConfig* crypto_config)
     : QuicCryptoStream(session),
-      visitor_(visitor),
       next_state_(STATE_IDLE),
       num_client_hellos_(0),
       crypto_config_(crypto_config),
       server_key_(server_key),
       generation_counter_(0),
-      proof_verify_callback_(NULL) {
+      proof_verify_callback_(NULL),
+      verify_context_(verify_context) {
 }
 
 QuicCryptoClientStream::~QuicCryptoClientStream() {
@@ -105,7 +105,8 @@ void QuicCryptoClientStream::DoHandshakeLoop(
     switch (state) {
       case STATE_INITIALIZE: {
         if (!cached->IsEmpty() && !cached->signature().empty() &&
-            crypto_config_->proof_verifier()) {
+            server_key_.is_https()) {
+          DCHECK(crypto_config_->proof_verifier());
           // If the cached state needs to be verified, do it now.
           next_state_ = STATE_VERIFY_PROOF;
         } else {
@@ -124,7 +125,7 @@ void QuicCryptoClientStream::DoHandshakeLoop(
 
         if (!cached->IsComplete(session()->connection()->clock()->WallNow())) {
           crypto_config_->FillInchoateClientHello(
-              server_key_.host(),
+              server_key_,
               session()->connection()->supported_versions().front(),
               cached, &crypto_negotiated_params_, &out);
           // Pad the inchoate client hello to fill up a packet.
@@ -150,7 +151,7 @@ void QuicCryptoClientStream::DoHandshakeLoop(
         }
         session()->config()->ToHandshakeMessage(&out);
         error = crypto_config_->FillClientHello(
-            server_key_.host(),
+            server_key_,
             session()->connection()->connection_id(),
             session()->connection()->supported_versions().front(),
             cached,
@@ -166,8 +167,8 @@ void QuicCryptoClientStream::DoHandshakeLoop(
           CloseConnectionWithDetails(error, error_details);
           return;
         }
-        if (visitor_ && cached->proof_verify_details()) {
-          visitor_->OnProofVerifyDetailsAvailable(
+        if (cached->proof_verify_details()) {
+          client_session()->OnProofVerifyDetailsAvailable(
               *cached->proof_verify_details());
         }
         next_state_ = STATE_RECV_SHLO;
@@ -212,10 +213,9 @@ void QuicCryptoClientStream::DoHandshakeLoop(
           return;
         }
         if (!cached->proof_valid()) {
-          ProofVerifier* verifier = crypto_config_->proof_verifier();
-          if (!verifier) {
-            // If no verifier is set then we don't check the certificates.
-            SetProofValid(cached);
+          if (!server_key_.is_https()) {
+            // We don't check the certificates for insecure QUIC connections.
+            SetCachedProofValid(cached);
           } else if (!cached->signature().empty()) {
             next_state_ = STATE_VERIFY_PROOF;
             break;
@@ -239,6 +239,7 @@ void QuicCryptoClientStream::DoHandshakeLoop(
             cached->server_config(),
             cached->certs(),
             cached->signature(),
+            verify_context_.get(),
             &verify_error_details_,
             &verify_details_,
             proof_verify_callback);
@@ -258,10 +259,7 @@ void QuicCryptoClientStream::DoHandshakeLoop(
       }
       case STATE_VERIFY_PROOF_COMPLETE:
         if (!verify_ok_) {
-          if (visitor_) {
-            visitor_->OnProofVerifyDetailsAvailable(
-                *cached->proof_verify_details());
-          }
+          client_session()->OnProofVerifyDetailsAvailable(*verify_details_);
           CloseConnectionWithDetails(
               QUIC_PROOF_INVALID, "Proof invalid: " + verify_error_details_);
           return;
@@ -271,7 +269,7 @@ void QuicCryptoClientStream::DoHandshakeLoop(
         if (generation_counter_ != cached->generation_counter()) {
           next_state_ = STATE_VERIFY_PROOF;
         } else {
-          SetProofValid(cached);
+          SetCachedProofValid(cached);
           cached->SetProofVerifyDetails(verify_details_.release());
           next_state_ = STATE_SEND_CHLO;
         }
@@ -349,12 +347,14 @@ void QuicCryptoClientStream::DoHandshakeLoop(
   }
 }
 
-void QuicCryptoClientStream::SetProofValid(
+void QuicCryptoClientStream::SetCachedProofValid(
     QuicCryptoClientConfig::CachedState* cached) {
   cached->SetProofValid();
-  if (visitor_) {
-    visitor_->OnProofValid(*cached);
-  }
+  client_session()->OnProofValid(*cached);
+}
+
+QuicClientSessionBase* QuicCryptoClientStream::client_session() {
+  return reinterpret_cast<QuicClientSessionBase*>(session());
 }
 
 }  // namespace net
diff --git a/net/quic/quic_crypto_client_stream.h b/net/quic/quic_crypto_client_stream.h
index 8e283605f1..aef96cc2e2 100644
--- a/net/quic/quic_crypto_client_stream.h
+++ b/net/quic/quic_crypto_client_stream.h
@@ -15,7 +15,7 @@
 
 namespace net {
 
-class QuicSession;
+class QuicClientSessionBase;
 
 namespace test {
 class CryptoTestUtils;
@@ -23,28 +23,9 @@ class CryptoTestUtils;
 
 class NET_EXPORT_PRIVATE QuicCryptoClientStream : public QuicCryptoStream {
  public:
-  class NET_EXPORT_PRIVATE Visitor {
-   public:
-    ~Visitor() {}
-
-    // Called when the proof in |cached| is marked valid.  If this is a secure
-    // QUIC session, then this will happen only after the proof verifier
-    // completes.  If this is an insecure QUIC connection, this will happen
-    // as soon as a valid config is discovered (either from the cache or
-    // from the server).
-    virtual void OnProofValid(
-        const QuicCryptoClientConfig::CachedState& cached) = 0;
-
-    // Called when proof verification details become available, either because
-    // proof verification is complete, or when cached details are used. This
-    // will only be called for secure QUIC connections.
-    virtual void OnProofVerifyDetailsAvailable(
-        const ProofVerifyDetails& verify_details) = 0;
-  };
-
   QuicCryptoClientStream(const QuicSessionKey& server_key,
-                         QuicSession* session,
-                         Visitor* visitor,
+                         QuicClientSessionBase* session,
+                         ProofVerifyContext* verify_context,
                          QuicCryptoClientConfig* crypto_config);
   virtual ~QuicCryptoClientStream();
 
@@ -62,8 +43,6 @@ class NET_EXPORT_PRIVATE QuicCryptoClientStream : public QuicCryptoStream {
   // than the number of round-trips needed for the handshake.
   int num_sent_client_hellos() const;
 
-  Visitor* visitor() { return visitor_; }
-
  private:
   // ProofVerifierCallbackImpl is passed as the callback method to VerifyProof.
   // The ProofVerifier calls this class with the result of proof verification
@@ -103,11 +82,11 @@ class NET_EXPORT_PRIVATE QuicCryptoClientStream : public QuicCryptoStream {
   // |in| may be NULL if the call did not result from a received message.
   void DoHandshakeLoop(const CryptoHandshakeMessage* in);
 
-  // Called to set the proof of |cache| valid.  Also invokes the visitor's
+  // Called to set the proof of |cached| valid.  Also invokes the session's
   // OnProofValid() method.
-  void SetProofValid(QuicCryptoClientConfig::CachedState* cached);
+  void SetCachedProofValid(QuicCryptoClientConfig::CachedState* cached);
 
-  Visitor* visitor_;
+  QuicClientSessionBase* client_session();
 
   State next_state_;
   // num_client_hellos_ contains the number of client hello messages that this
@@ -134,6 +113,7 @@ class NET_EXPORT_PRIVATE QuicCryptoClientStream : public QuicCryptoStream {
   bool verify_ok_;
   string verify_error_details_;
   scoped_ptr<ProofVerifyDetails> verify_details_;
+  scoped_ptr<ProofVerifyContext> verify_context_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicCryptoClientStream);
 };
diff --git a/net/quic/quic_crypto_client_stream_test.cc b/net/quic/quic_crypto_client_stream_test.cc
index 1b64c9c807..a69f126385 100644
--- a/net/quic/quic_crypto_client_stream_test.cc
+++ b/net/quic/quic_crypto_client_stream_test.cc
@@ -27,10 +27,10 @@ class QuicCryptoClientStreamTest : public ::testing::Test {
  public:
   QuicCryptoClientStreamTest()
       : connection_(new PacketSavingConnection(false)),
-        session_(new TestSession(connection_, DefaultQuicConfig())),
-        server_key_(kServerHostname, kServerPort, false),
-        stream_(new QuicCryptoClientStream(server_key_, session_.get(), NULL,
-                                           &crypto_config_)) {
+        session_(new TestClientSession(connection_, DefaultQuicConfig())),
+        server_key_(kServerHostname, kServerPort, false, kPrivacyModeDisabled),
+        stream_(new QuicCryptoClientStream(
+            server_key_, session_.get(), NULL, &crypto_config_)) {
     session_->SetCryptoStream(stream_.get());
     session_->config()->SetDefaults();
     crypto_config_.SetDefaults();
@@ -47,7 +47,7 @@ class QuicCryptoClientStreamTest : public ::testing::Test {
   }
 
   PacketSavingConnection* connection_;
-  scoped_ptr<TestSession> session_;
+  scoped_ptr<TestClientSession> session_;
   QuicSessionKey server_key_;
   scoped_ptr<QuicCryptoClientStream> stream_;
   CryptoHandshakeMessage message_;
@@ -101,12 +101,12 @@ TEST_F(QuicCryptoClientStreamTest, NegotiatedParameters) {
 
   const QuicCryptoNegotiatedParameters& crypto_params(
       stream_->crypto_negotiated_params());
-  EXPECT_EQ(kAESG, crypto_params.aead);
-  EXPECT_EQ(kC255, crypto_params.key_exchange);
+  EXPECT_EQ(crypto_config_.aead[0], crypto_params.aead);
+  EXPECT_EQ(crypto_config_.kexs[0], crypto_params.key_exchange);
 }
 
 TEST_F(QuicCryptoClientStreamTest, InvalidHostname) {
-  QuicSessionKey server_key("invalid", 80, false);
+  QuicSessionKey server_key("invalid", 80, false, kPrivacyModeDisabled);
   stream_.reset(new QuicCryptoClientStream(server_key, session_.get(), NULL,
                                            &crypto_config_));
   session_->SetCryptoStream(stream_.get());
@@ -121,7 +121,7 @@ TEST_F(QuicCryptoClientStreamTest, ExpiredServerConfig) {
   CompleteCryptoHandshake();
 
   connection_ = new PacketSavingConnection(true);
-  session_.reset(new TestSession(connection_, DefaultQuicConfig()));
+  session_.reset(new TestClientSession(connection_, DefaultQuicConfig()));
   stream_.reset(new QuicCryptoClientStream(server_key_, session_.get(), NULL,
                                            &crypto_config_));
 
diff --git a/net/quic/quic_crypto_server_stream_test.cc b/net/quic/quic_crypto_server_stream_test.cc
index 4135187879..d0c87e85f2 100644
--- a/net/quic/quic_crypto_server_stream_test.cc
+++ b/net/quic/quic_crypto_server_stream_test.cc
@@ -105,7 +105,7 @@ class QuicCryptoServerStreamTest : public ::testing::TestWithParam<bool> {
 
  protected:
   PacketSavingConnection* connection_;
-  TestSession session_;
+  TestClientSession session_;
   QuicConfig config_;
   QuicCryptoServerConfig crypto_config_;
   QuicCryptoServerStream stream_;
@@ -140,12 +140,13 @@ TEST_P(QuicCryptoServerStreamTest, ZeroRTT) {
 
   QuicConfig client_config;
   client_config.SetDefaults();
-  scoped_ptr<TestSession> client_session(
-      new TestSession(client_conn, client_config));
+  scoped_ptr<TestClientSession> client_session(
+      new TestClientSession(client_conn, client_config));
   QuicCryptoClientConfig client_crypto_config;
   client_crypto_config.SetDefaults();
 
-  QuicSessionKey server_key(kServerHostname, kServerPort, false);
+  QuicSessionKey server_key(kServerHostname, kServerPort, false,
+                            kPrivacyModeDisabled);
   scoped_ptr<QuicCryptoClientStream> client(new QuicCryptoClientStream(
       server_key, client_session.get(), NULL, &client_crypto_config));
   client_session->SetCryptoStream(client.get());
@@ -155,7 +156,8 @@ TEST_P(QuicCryptoServerStreamTest, ZeroRTT) {
   CHECK(client->CryptoConnect());
   CHECK_EQ(1u, client_conn->packets_.size());
 
-  scoped_ptr<TestSession> server_session(new TestSession(server_conn, config_));
+  scoped_ptr<TestClientSession> server_session(
+      new TestClientSession(server_conn, config_));
   scoped_ptr<QuicCryptoServerStream> server(
       new QuicCryptoServerStream(crypto_config_, server_session.get()));
   server_session->SetCryptoStream(server.get());
@@ -177,8 +179,8 @@ TEST_P(QuicCryptoServerStreamTest, ZeroRTT) {
   // This causes the client's nonce to be different and thus stops the
   // strike-register from rejecting the repeated nonce.
   reinterpret_cast<MockRandom*>(client_conn->random_generator())->ChangeValue();
-  client_session.reset(new TestSession(client_conn, client_config));
-  server_session.reset(new TestSession(server_conn, config_));
+  client_session.reset(new TestClientSession(client_conn, client_config));
+  server_session.reset(new TestClientSession(server_conn, config_));
   client.reset(new QuicCryptoClientStream(
       server_key, client_session.get(), NULL, &client_crypto_config));
   client_session->SetCryptoStream(client.get());
diff --git a/net/quic/quic_http_stream.cc b/net/quic/quic_http_stream.cc
index 3c96fbefcf..77bfc8de80 100644
--- a/net/quic/quic_http_stream.cc
+++ b/net/quic/quic_http_stream.cc
@@ -5,6 +5,7 @@
 #include "net/quic/quic_http_stream.h"
 
 #include "base/callback_helpers.h"
+#include "base/metrics/histogram.h"
 #include "base/strings/stringprintf.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
@@ -61,9 +62,11 @@ int QuicHttpStream::InitializeStream(const HttpRequestInfo* request_info,
 
   if (request_info->url.SchemeIsSecure()) {
     SSLInfo ssl_info;
-    if (!session_->GetSSLInfo(&ssl_info) || !ssl_info.cert) {
+    bool secure_session = session_->GetSSLInfo(&ssl_info) && ssl_info.cert;
+    UMA_HISTOGRAM_BOOLEAN("Net.QuicSession.SecureResourceSecureSession",
+                          secure_session);
+    if (!secure_session)
       return ERR_REQUEST_FOR_SECURE_RESOURCE_OVER_INSECURE_QUIC;
-    }
   }
 
   stream_net_log_ = stream_net_log;
diff --git a/net/quic/quic_http_stream_test.cc b/net/quic/quic_http_stream_test.cc
index 1eb7ebe736..ac1f715b1a 100644
--- a/net/quic/quic_http_stream_test.cc
+++ b/net/quic/quic_http_stream_test.cc
@@ -209,7 +209,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<QuicVersion> {
                               &crypto_client_stream_factory_,
                               make_scoped_ptr((QuicServerInfo*)NULL),
                               QuicSessionKey(kServerHostname, kServerPort,
-                                             false),
+                                             false, kPrivacyModeDisabled),
                               DefaultQuicConfig(), &crypto_config_, NULL));
     session_->GetCryptoStream()->CryptoConnect();
     EXPECT_TRUE(session_->IsCryptoHandshakeConfirmed());
diff --git a/net/quic/quic_session_key.cc b/net/quic/quic_session_key.cc
index 385a1dea95..8ffd52490a 100644
--- a/net/quic/quic_session_key.cc
+++ b/net/quic/quic_session_key.cc
@@ -11,15 +11,19 @@ namespace net {
 QuicSessionKey::QuicSessionKey() {}
 
 QuicSessionKey::QuicSessionKey(const HostPortPair& host_port_pair,
-                               bool is_https)
+                               bool is_https,
+                               PrivacyMode privacy_mode)
     : host_port_pair_(host_port_pair),
-      is_https_(is_https) {}
+      is_https_(is_https),
+      privacy_mode_(privacy_mode) {}
 
 QuicSessionKey::QuicSessionKey(const string& host,
                                uint16 port,
-                               bool is_https)
+                               bool is_https,
+                               PrivacyMode privacy_mode)
     : host_port_pair_(host, port),
-      is_https_(is_https) {}
+      is_https_(is_https),
+      privacy_mode_(privacy_mode) {}
 
 QuicSessionKey::~QuicSessionKey() {}
 
@@ -27,16 +31,21 @@ bool QuicSessionKey::operator<(const QuicSessionKey& other) const {
   if (!host_port_pair_.Equals(other.host_port_pair_)) {
     return host_port_pair_ < other.host_port_pair_;
   }
-  return is_https_ < other.is_https_;
+  if (is_https_ != other.is_https_) {
+    return is_https_ < other.is_https_;
+  }
+  return privacy_mode_ < other.privacy_mode_;
 }
 
 bool QuicSessionKey::operator==(const QuicSessionKey& other) const {
   return is_https_ == other.is_https_ &&
+      privacy_mode_ == other.privacy_mode_ &&
       host_port_pair_.Equals(other.host_port_pair_);
 }
 
 string QuicSessionKey::ToString() const {
-  return (is_https_ ? "https://" : "http://") + host_port_pair_.ToString();
+  return (is_https_ ? "https://" : "http://") + host_port_pair_.ToString() +
+      (privacy_mode_ == kPrivacyModeEnabled ? "/private" : "");
 }
 
 }  // namespace net
diff --git a/net/quic/quic_session_key.h b/net/quic/quic_session_key.h
index 12975fa5d2..6cd43e7b9c 100644
--- a/net/quic/quic_session_key.h
+++ b/net/quic/quic_session_key.h
@@ -9,6 +9,7 @@
 
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
+#include "net/base/privacy_mode.h"
 
 namespace net {
 
@@ -16,8 +17,13 @@ namespace net {
 class NET_EXPORT_PRIVATE QuicSessionKey {
  public:
   QuicSessionKey();
-  QuicSessionKey(const HostPortPair& host_port_pair, bool is_https);
-  QuicSessionKey(const std::string& host, uint16 port, bool is_https);
+  QuicSessionKey(const HostPortPair& host_port_pair,
+                 bool is_https,
+                 PrivacyMode privacy_mode);
+  QuicSessionKey(const std::string& host,
+                 uint16 port,
+                 bool is_https,
+                 PrivacyMode privacy_mode);
   ~QuicSessionKey();
 
   // Needed to be an element of std::set.
@@ -38,9 +44,12 @@ class NET_EXPORT_PRIVATE QuicSessionKey {
 
   bool is_https() const { return is_https_; }
 
+  PrivacyMode privacy_mode() const { return privacy_mode_; }
+
  private:
   HostPortPair host_port_pair_;
   bool is_https_;
+  PrivacyMode privacy_mode_;
 };
 
 }  // namespace net
diff --git a/net/quic/quic_session_key_test.cc b/net/quic/quic_session_key_test.cc
index b07b3b7bcf..e8fd4fd57a 100644
--- a/net/quic/quic_session_key_test.cc
+++ b/net/quic/quic_session_key_test.cc
@@ -15,13 +15,25 @@ namespace {
 TEST(QuicSessionKeyTest, ToString) {
   HostPortPair google_host_port_pair("google.com", 10);
 
-  QuicSessionKey google_http_key(google_host_port_pair, false);
+  QuicSessionKey google_http_key(google_host_port_pair, false,
+                                 kPrivacyModeDisabled);
   string google_http_key_str = google_http_key.ToString();
   EXPECT_EQ("http://google.com:10", google_http_key_str);
 
-  QuicSessionKey google_https_key(google_host_port_pair, true);
+  QuicSessionKey google_https_key(google_host_port_pair, true,
+                                 kPrivacyModeDisabled);
   string google_https_key_str = google_https_key.ToString();
   EXPECT_EQ("https://google.com:10", google_https_key_str);
+
+  QuicSessionKey private_http_key(google_host_port_pair, false,
+                                  kPrivacyModeEnabled);
+  string private_http_key_str = private_http_key.ToString();
+  EXPECT_EQ("http://google.com:10/private", private_http_key_str);
+
+  QuicSessionKey private_https_key(google_host_port_pair, true,
+                                   kPrivacyModeEnabled);
+  string private_https_key_str = private_https_key.ToString();
+  EXPECT_EQ("https://google.com:10/private", private_https_key_str);
 }
 
 }  // namespace
diff --git a/net/quic/quic_stream_factory.cc b/net/quic/quic_stream_factory.cc
index 7324511779..3aec036970 100644
--- a/net/quic/quic_stream_factory.cc
+++ b/net/quic/quic_stream_factory.cc
@@ -6,6 +6,7 @@
 
 #include <set>
 
+#include "base/cpu.h"
 #include "base/message_loop/message_loop.h"
 #include "base/message_loop/message_loop_proxy.h"
 #include "base/metrics/histogram.h"
@@ -34,6 +35,10 @@
 #include "net/quic/quic_session_key.h"
 #include "net/socket/client_socket_factory.h"
 
+#if defined(OS_WIN)
+#include "base/win/windows_version.h"
+#endif
+
 using std::string;
 using std::vector;
 
@@ -41,8 +46,29 @@ namespace net {
 
 namespace {
 
+enum CreateSessionFailure {
+  CREATION_ERROR_CONNECTING_SOCKET,
+  CREATION_ERROR_SETTING_RECEIVE_BUFFER,
+  CREATION_ERROR_SETTING_SEND_BUFFER,
+  CREATION_ERROR_MAX
+};
+
 const uint64 kBrokenAlternateProtocolDelaySecs = 300;
 
+void HistogramCreateSessionFailure(enum CreateSessionFailure error) {
+  UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.CreationError", error,
+                            CREATION_ERROR_MAX);
+}
+
+bool IsEcdsaSupported() {
+#if defined(OS_WIN)
+  if (base::win::GetVersion() < base::win::VERSION_VISTA)
+    return false;
+#endif
+
+  return true;
+}
+
 }  // namespace
 
 QuicStreamFactory::IpAliasKey::IpAliasKey() {}
@@ -76,8 +102,8 @@ class QuicStreamFactory::Job {
       HostResolver* host_resolver,
       const HostPortPair& host_port_pair,
       bool is_https,
+      PrivacyMode privacy_mode,
       base::StringPiece method,
-      CertVerifier* cert_verifier,
       QuicServerInfo* server_info,
       const BoundNetLog& net_log);
 
@@ -117,10 +143,8 @@ class QuicStreamFactory::Job {
 
   QuicStreamFactory* factory_;
   SingleRequestHostResolver host_resolver_;
-  bool is_https_;
   QuicSessionKey session_key_;
   bool is_post_;
-  CertVerifier* cert_verifier_;
   scoped_ptr<QuicServerInfo> server_info_;
   const BoundNetLog net_log_;
   QuicClientSession* session_;
@@ -135,16 +159,14 @@ QuicStreamFactory::Job::Job(QuicStreamFactory* factory,
                             HostResolver* host_resolver,
                             const HostPortPair& host_port_pair,
                             bool is_https,
+                            PrivacyMode privacy_mode,
                             base::StringPiece method,
-                            CertVerifier* cert_verifier,
                             QuicServerInfo* server_info,
                             const BoundNetLog& net_log)
     : factory_(factory),
       host_resolver_(host_resolver),
-      is_https_(is_https),
-      session_key_(host_port_pair, is_https),
+      session_key_(host_port_pair, is_https, privacy_mode),
       is_post_(method == "POST"),
-      cert_verifier_(cert_verifier),
       server_info_(server_info),
       net_log_(net_log),
       session_(NULL),
@@ -265,8 +287,7 @@ int QuicStreamFactory::Job::DoLoadServerInfoComplete(int rv) {
 int QuicStreamFactory::Job::DoConnect() {
   io_state_ = STATE_CONNECT_COMPLETE;
 
-  int rv = factory_->CreateSession(session_key_.host_port_pair(), is_https_,
-                                   cert_verifier_, server_info_.Pass(),
+  int rv = factory_->CreateSession(session_key_, server_info_.Pass(),
                                    address_list_, net_log_, &session_);
   if (rv != OK) {
     DCHECK(rv != ERR_IO_PENDING);
@@ -279,7 +300,7 @@ int QuicStreamFactory::Job::DoConnect() {
     return ERR_QUIC_PROTOCOL_ERROR;
   }
   rv = session_->CryptoConnect(
-      factory_->require_confirmation() || is_https_,
+      factory_->require_confirmation() || session_key_.is_https() || is_post_,
       base::Bind(&QuicStreamFactory::Job::OnIOComplete,
                  base::Unretained(this)));
   return rv;
@@ -314,19 +335,18 @@ QuicStreamRequest::~QuicStreamRequest() {
 
 int QuicStreamRequest::Request(const HostPortPair& host_port_pair,
                                bool is_https,
+                               PrivacyMode privacy_mode,
                                base::StringPiece method,
-                               CertVerifier* cert_verifier,
                                const BoundNetLog& net_log,
                                const CompletionCallback& callback) {
   DCHECK(!stream_);
   DCHECK(callback_.is_null());
   DCHECK(factory_);
-  int rv = factory_->Create(host_port_pair, is_https,
-                            method, cert_verifier, net_log, this);
+  int rv = factory_->Create(host_port_pair, is_https, privacy_mode, method,
+                            net_log, this);
   if (rv == ERR_IO_PENDING) {
     host_port_pair_ = host_port_pair;
     is_https_ = is_https;
-    cert_verifier_ = cert_verifier;
     net_log_ = net_log;
     callback_ = callback;
   } else {
@@ -356,6 +376,7 @@ QuicStreamFactory::QuicStreamFactory(
     HostResolver* host_resolver,
     ClientSocketFactory* client_socket_factory,
     base::WeakPtr<HttpServerProperties> http_server_properties,
+    CertVerifier* cert_verifier,
     QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
     QuicRandom* random_generator,
     QuicClock* clock,
@@ -367,6 +388,7 @@ QuicStreamFactory::QuicStreamFactory(
       host_resolver_(host_resolver),
       client_socket_factory_(client_socket_factory),
       http_server_properties_(http_server_properties),
+      cert_verifier_(cert_verifier),
       quic_server_info_factory_(NULL),
       quic_crypto_client_stream_factory_(quic_crypto_client_stream_factory),
       random_generator_(random_generator),
@@ -383,24 +405,30 @@ QuicStreamFactory::QuicStreamFactory(
       QuicTime::Delta::FromSeconds(30),
       QuicTime::Delta::FromSeconds(30));
 
-  canoncial_suffixes_.push_back(string(".c.youtube.com"));
-  canoncial_suffixes_.push_back(string(".googlevideo.com"));
+  crypto_config_.SetDefaults();
+  crypto_config_.AddCanonicalSuffix(".c.youtube.com");
+  crypto_config_.AddCanonicalSuffix(".googlevideo.com");
+  crypto_config_.SetProofVerifier(new ProofVerifierChromium(cert_verifier));
+  base::CPU cpu;
+  if (cpu.has_aesni() && cpu.has_avx())
+    crypto_config_.PreferAesGcm();
+  if (!IsEcdsaSupported())
+    crypto_config_.DisableEcdsa();
 }
 
 QuicStreamFactory::~QuicStreamFactory() {
   CloseAllSessions(ERR_ABORTED);
   STLDeleteElements(&all_sessions_);
   STLDeleteValues(&active_jobs_);
-  STLDeleteValues(&all_crypto_configs_);
 }
 
 int QuicStreamFactory::Create(const HostPortPair& host_port_pair,
                               bool is_https,
+                              PrivacyMode privacy_mode,
                               base::StringPiece method,
-                              CertVerifier* cert_verifier,
                               const BoundNetLog& net_log,
                               QuicStreamRequest* request) {
-  QuicSessionKey session_key(host_port_pair, is_https);
+  QuicSessionKey session_key(host_port_pair, is_https, privacy_mode);
   if (HasActiveSession(session_key)) {
     request->set_stream(CreateIfSessionExists(session_key, net_log));
     return OK;
@@ -415,18 +443,15 @@ int QuicStreamFactory::Create(const HostPortPair& host_port_pair,
 
   QuicServerInfo* quic_server_info = NULL;
   if (quic_server_info_factory_) {
-    QuicCryptoClientConfig* crypto_config =
-        GetOrCreateCryptoConfig(session_key);
     QuicCryptoClientConfig::CachedState* cached =
-        crypto_config->LookupOrCreate(session_key);
+        crypto_config_.LookupOrCreate(session_key);
     DCHECK(cached);
     if (cached->IsEmpty()) {
       quic_server_info = quic_server_info_factory_->GetForServer(session_key);
     }
   }
-  scoped_ptr<Job> job(new Job(this, host_resolver_, host_port_pair,
-                              is_https, method, cert_verifier,
-                              quic_server_info, net_log));
+  scoped_ptr<Job> job(new Job(this, host_resolver_, host_port_pair, is_https,
+                              privacy_mode, method, quic_server_info, net_log));
   int rv = job->Run(base::Bind(&QuicStreamFactory::OnJobComplete,
                                base::Unretained(this), job.get()));
 
@@ -649,15 +674,12 @@ bool QuicStreamFactory::HasActiveSession(
 }
 
 int QuicStreamFactory::CreateSession(
-    const HostPortPair& host_port_pair,
-    bool is_https,
-    CertVerifier* cert_verifier,
+    const QuicSessionKey& session_key,
     scoped_ptr<QuicServerInfo> server_info,
     const AddressList& address_list,
     const BoundNetLog& net_log,
     QuicClientSession** session) {
   bool enable_port_selection = enable_port_selection_;
-  QuicSessionKey session_key(host_port_pair, is_https);
   if (enable_port_selection &&
       ContainsKey(gone_away_aliases_, session_key)) {
     // Disable port selection when the server is going away.
@@ -670,7 +692,7 @@ int QuicStreamFactory::CreateSession(
   QuicConnectionId connection_id = random_generator_->RandUint64();
   IPEndPoint addr = *address_list.begin();
   scoped_refptr<PortSuggester> port_suggester =
-      new PortSuggester(host_port_pair, port_seed_);
+      new PortSuggester(session_key.host_port_pair(), port_seed_);
   DatagramSocket::BindType bind_type = enable_port_selection ?
       DatagramSocket::RANDOM_BIND :  // Use our callback.
       DatagramSocket::DEFAULT_BIND;  // Use OS to randomize.
@@ -680,8 +702,10 @@ int QuicStreamFactory::CreateSession(
           base::Bind(&PortSuggester::SuggestPort, port_suggester),
           net_log.net_log(), net_log.source()));
   int rv = socket->Connect(addr);
-  if (rv != OK)
+  if (rv != OK) {
+    HistogramCreateSessionFailure(CREATION_ERROR_CONNECTING_SOCKET);
     return rv;
+  }
   UMA_HISTOGRAM_COUNTS("Net.QuicEphemeralPortsSuggested",
                        port_suggester->call_count());
   if (enable_port_selection) {
@@ -695,11 +719,17 @@ int QuicStreamFactory::CreateSession(
   // does not consume "too much" memory.  If we see bursty packet loss, we may
   // revisit this setting and test for its impact.
   const int32 kSocketBufferSize(TcpReceiver::kReceiveWindowTCP);
-  socket->SetReceiveBufferSize(kSocketBufferSize);
+  if (!socket->SetReceiveBufferSize(kSocketBufferSize)) {
+    HistogramCreateSessionFailure(CREATION_ERROR_SETTING_RECEIVE_BUFFER);
+    return ERR_SOCKET_SET_RECEIVE_BUFFER_SIZE_ERROR;
+  }
   // Set a buffer large enough to contain the initial CWND's worth of packet
   // to work around the problem with CHLO packets being sent out with the
   // wrong encryption level, when the send buffer is full.
-  socket->SetSendBufferSize(kMaxPacketSize * 20); // Support 20 packets.
+  if (!socket->SetSendBufferSize(kMaxPacketSize * 20)) {
+    HistogramCreateSessionFailure(CREATION_ERROR_SETTING_SEND_BUFFER);
+    return ERR_SOCKET_SET_SEND_BUFFER_SIZE_ERROR;
+  }
 
   scoped_ptr<QuicDefaultPacketWriter> writer(
       new QuicDefaultPacketWriter(socket.get()));
@@ -717,14 +747,13 @@ int QuicStreamFactory::CreateSession(
   writer->SetConnection(connection);
   connection->options()->max_packet_length = max_packet_length_;
 
-  QuicCryptoClientConfig* crypto_config = GetOrCreateCryptoConfig(session_key);
-  InitializeCachedState(session_key, crypto_config, server_info);
-  DCHECK(crypto_config);
+  InitializeCachedState(session_key, server_info);
 
   QuicConfig config = config_;
   if (http_server_properties_) {
     const HttpServerProperties::NetworkStats* stats =
-        http_server_properties_->GetServerNetworkStats(host_port_pair);
+        http_server_properties_->GetServerNetworkStats(
+            session_key.host_port_pair());
     if (stats != NULL) {
       config.set_initial_round_trip_time_us(stats->rtt.InMicroseconds(),
                                             stats->rtt.InMicroseconds());
@@ -734,12 +763,8 @@ int QuicStreamFactory::CreateSession(
   *session = new QuicClientSession(
       connection, socket.Pass(), writer.Pass(), this,
       quic_crypto_client_stream_factory_, server_info.Pass(), session_key,
-      config, crypto_config, net_log.net_log());
+      config, &crypto_config_, net_log.net_log());
   all_sessions_.insert(*session);  // owning pointer
-  if (is_https) {
-    crypto_config->SetProofVerifier(
-        new ProofVerifierChromium(cert_verifier, net_log));
-  }
   return OK;
 }
 
@@ -759,72 +784,14 @@ void QuicStreamFactory::ActivateSession(
   ip_aliases_[ip_alias_key].insert(session);
 }
 
-QuicCryptoClientConfig* QuicStreamFactory::GetOrCreateCryptoConfig(
-    const QuicSessionKey& session_key) {
-  QuicCryptoClientConfig* crypto_config;
-
-  if (ContainsKey(all_crypto_configs_, session_key)) {
-    crypto_config = all_crypto_configs_[session_key];
-    DCHECK(crypto_config);
-  } else {
-    // TODO(rtenneti): if two quic_sessions for the same host_port_pair
-    // share the same crypto_config, will it cause issues?
-    crypto_config = new QuicCryptoClientConfig();
-    crypto_config->SetDefaults();
-    all_crypto_configs_[session_key] = crypto_config;
-    PopulateFromCanonicalConfig(session_key, crypto_config);
-  }
-  return crypto_config;
-}
-
-void QuicStreamFactory::PopulateFromCanonicalConfig(
-    const QuicSessionKey& session_key,
-    QuicCryptoClientConfig* crypto_config) {
-  const string server_hostname = session_key.host();
-  unsigned i = 0;
-  for (; i < canoncial_suffixes_.size(); ++i) {
-    if (EndsWith(server_hostname, canoncial_suffixes_[i], false)) {
-      break;
-    }
-  }
-  if (i == canoncial_suffixes_.size())
-    return;
-
-  HostPortPair suffix_host_port_pair(canoncial_suffixes_[i],
-                                     session_key.port());
-  QuicSessionKey suffix_session_key(suffix_host_port_pair,
-                                    session_key.is_https());
-  if (!ContainsKey(canonical_hostname_to_origin_map_, suffix_session_key)) {
-    // This is the first host we've seen which matches the suffix, so make it
-    // canonical.
-    canonical_hostname_to_origin_map_[suffix_session_key] = session_key;
-    return;
-  }
-
-  const QuicSessionKey& canonical_session_key =
-      canonical_hostname_to_origin_map_[suffix_session_key];
-  QuicCryptoClientConfig* canonical_crypto_config =
-      all_crypto_configs_[canonical_session_key];
-  DCHECK(canonical_crypto_config);
-
-  // Copy the CachedState for the canonical server from canonical_crypto_config
-  // as the initial CachedState for the server_hostname in crypto_config.
-  crypto_config->InitializeFrom(session_key, canonical_session_key,
-                                canonical_crypto_config);
-  // Update canonical version to point at the "most recent" crypto_config.
-  canonical_hostname_to_origin_map_[suffix_session_key] =
-      canonical_session_key;
-}
-
 void QuicStreamFactory::InitializeCachedState(
     const QuicSessionKey& session_key,
-    QuicCryptoClientConfig* crypto_config,
     const scoped_ptr<QuicServerInfo>& server_info) {
   if (!server_info)
     return;
 
   QuicCryptoClientConfig::CachedState* cached =
-      crypto_config->LookupOrCreate(session_key);
+      crypto_config_.LookupOrCreate(session_key);
   if (!cached->IsEmpty())
     return;
 
@@ -835,8 +802,8 @@ void QuicStreamFactory::InitializeCachedState(
                           clock_->WallNow()))
     return;
 
-  if (!crypto_config->proof_verifier()) {
-    // If no verifier is set then we don't check the certificates.
+  if (!session_key.is_https()) {
+    // Don't check the certificates for insecure QUIC.
     cached->SetProofValid();
   }
 }
diff --git a/net/quic/quic_stream_factory.h b/net/quic/quic_stream_factory.h
index 61806a75c4..1e22cdb062 100644
--- a/net/quic/quic_stream_factory.h
+++ b/net/quic/quic_stream_factory.h
@@ -54,8 +54,8 @@ class NET_EXPORT_PRIVATE QuicStreamRequest {
   // For http, |is_https| is false and |cert_verifier| can be null.
   int Request(const HostPortPair& host_port_pair,
               bool is_https,
+              PrivacyMode privacy_mode,
               base::StringPiece method,
-              CertVerifier* cert_verifier,
               const BoundNetLog& net_log,
               const CompletionCallback& callback);
 
@@ -73,7 +73,6 @@ class NET_EXPORT_PRIVATE QuicStreamRequest {
   QuicStreamFactory* factory_;
   HostPortPair host_port_pair_;
   bool is_https_;
-  CertVerifier* cert_verifier_;
   BoundNetLog net_log_;
   CompletionCallback callback_;
   scoped_ptr<QuicHttpStream> stream_;
@@ -91,6 +90,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
       HostResolver* host_resolver,
       ClientSocketFactory* client_socket_factory,
       base::WeakPtr<HttpServerProperties> http_server_properties,
+      CertVerifier* cert_verifier,
       QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
       QuicRandom* random_generator,
       QuicClock* clock,
@@ -109,8 +109,8 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // asynchronously.
   int Create(const HostPortPair& host_port_pair,
              bool is_https,
+             PrivacyMode privacy_mode,
              base::StringPiece method,
-             CertVerifier* cert_verifier,
              const BoundNetLog& net_log,
              QuicStreamRequest* request);
 
@@ -166,7 +166,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   class Job;
   friend class test::QuicStreamFactoryPeer;
 
-  // The key used to find session by hostname. Includes
+  // The key used to find session by ip. Includes
   // the ip address, port, and scheme.
   struct NET_EXPORT_PRIVATE IpAliasKey {
     IpAliasKey();
@@ -187,7 +187,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   typedef std::set<QuicClientSession*> SessionSet;
   typedef std::map<IpAliasKey, SessionSet> IPAliasMap;
   typedef std::map<QuicSessionKey, QuicCryptoClientConfig*> CryptoConfigMap;
-  typedef std::map<QuicSessionKey, QuicSessionKey> CanonicalHostMap;
   typedef std::map<QuicSessionKey, Job*> JobMap;
   typedef std::map<QuicStreamRequest*, Job*> RequestMap;
   typedef std::set<QuicStreamRequest*> RequestSet;
@@ -203,9 +202,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   void OnJobComplete(Job* job, int rv);
   bool HasActiveSession(const QuicSessionKey& session_key) const;
   bool HasActiveJob(const QuicSessionKey& session_key) const;
-  int CreateSession(const HostPortPair& host_port_pair,
-                    bool is_https,
-                    CertVerifier* cert_verifier,
+  int CreateSession(const QuicSessionKey& session_key,
                     scoped_ptr<QuicServerInfo> quic_server_info,
                     const AddressList& address_list,
                     const BoundNetLog& net_log,
@@ -213,20 +210,9 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   void ActivateSession(const QuicSessionKey& key,
                        QuicClientSession* session);
 
-  QuicCryptoClientConfig* GetOrCreateCryptoConfig(
-      const QuicSessionKey& session_key);
-
-  // If the suffix of the hostname in |session_key| is in |canoncial_suffixes_|,
-  // then populate |crypto_config| with a canonical server config data from
-  // |canonical_hostname_to_origin_map_| for that suffix.
-  void PopulateFromCanonicalConfig(
-      const QuicSessionKey& session_key,
-      QuicCryptoClientConfig* crypto_config);
-
   // Initializes the cached state associated with |session_key| in
-  // |crypto_config| with the information in |server_info|.
+  // |crypto_config_| with the information in |server_info|.
   void InitializeCachedState(const QuicSessionKey& session_key,
-                             QuicCryptoClientConfig* crypto_config,
                              const scoped_ptr<QuicServerInfo>& server_info);
 
   void ExpireBrokenAlternateProtocolMappings();
@@ -236,6 +222,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   HostResolver* host_resolver_;
   ClientSocketFactory* client_socket_factory_;
   base::WeakPtr<HttpServerProperties> http_server_properties_;
+  CertVerifier* cert_verifier_;
   QuicServerInfoFactory* quic_server_info_factory_;
   QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory_;
   QuicRandom* random_generator_;
@@ -258,23 +245,6 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   // Origins which have gone away recently.
   AliasSet gone_away_aliases_;
 
-  // Contains owning pointers to QuicCryptoClientConfig. QuicCryptoClientConfig
-  // contains configuration and cached state about servers.
-  // TODO(rtenneti): Persist all_crypto_configs_ to disk and decide when to
-  // clear the data in the map.
-  CryptoConfigMap all_crypto_configs_;
-
-  // Contains a map of servers which could share the same server config. Map
-  // from a Canonical host/port/scheme (host is some postfix of host names) to
-  // an actual origin, which has a plausible set of initial certificates (or at
-  // least server public key).
-  CanonicalHostMap canonical_hostname_to_origin_map_;
-
-  // Contains list of suffixes (for exmaple ".c.youtube.com",
-  // ".googlevideo.com") of canoncial hostnames.
-  std::vector<std::string> canoncial_suffixes_;
-
-
   // List of broken host:ports and the times when they can be expired.
   struct BrokenAlternateProtocolEntry {
     HostPortPair origin;
@@ -290,6 +260,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   BrokenAlternateProtocolMap broken_alternate_protocol_map_;
 
   QuicConfig config_;
+  QuicCryptoClientConfig crypto_config_;
 
   JobMap active_jobs_;
   JobRequestsMap job_requests_map_;
diff --git a/net/quic/quic_stream_factory_test.cc b/net/quic/quic_stream_factory_test.cc
index f7e271cadd..780c5cb8e4 100644
--- a/net/quic/quic_stream_factory_test.cc
+++ b/net/quic/quic_stream_factory_test.cc
@@ -41,18 +41,14 @@ const int kDefaultServerPort = 443;
 
 class QuicStreamFactoryPeer {
  public:
-  static QuicCryptoClientConfig* GetOrCreateCryptoConfig(
-      QuicStreamFactory* factory,
-      const HostPortPair& host_port_pair,
-      bool is_https) {
-    QuicSessionKey server_key(host_port_pair, is_https);
-    return factory->GetOrCreateCryptoConfig(server_key);
+  static QuicCryptoClientConfig* GetCryptoConfig(QuicStreamFactory* factory) {
+    return &factory->crypto_config_;
   }
 
   static bool HasActiveSession(QuicStreamFactory* factory,
                                const HostPortPair& host_port_pair,
                                bool is_https) {
-    QuicSessionKey server_key(host_port_pair, is_https);
+    QuicSessionKey server_key(host_port_pair, is_https, kPrivacyModeDisabled);
     return factory->HasActiveSession(server_key);
   }
 
@@ -60,7 +56,7 @@ class QuicStreamFactoryPeer {
       QuicStreamFactory* factory,
       const HostPortPair& host_port_pair,
       bool is_https) {
-    QuicSessionKey server_key(host_port_pair, is_https);
+    QuicSessionKey server_key(host_port_pair, is_https, kPrivacyModeDisabled);
     DCHECK(factory->HasActiveSession(server_key));
     return factory->active_sessions_[server_key];
   }
@@ -70,7 +66,7 @@ class QuicStreamFactoryPeer {
       const HostPortPair& host_port_pair,
       bool is_https,
       const BoundNetLog& net_log) {
-    QuicSessionKey server_key(host_port_pair, is_https);
+    QuicSessionKey server_key(host_port_pair, is_https, kPrivacyModeDisabled);
     return factory->CreateIfSessionExists(server_key, net_log);
   }
 
@@ -92,14 +88,16 @@ class QuicStreamFactoryTest : public ::testing::TestWithParam<QuicVersion> {
       : random_generator_(0),
         maker_(GetParam(), 0),
         clock_(new MockClock()),
+        cert_verifier_(CertVerifier::CreateDefault()),
         factory_(&host_resolver_, &socket_factory_,
                  base::WeakPtr<HttpServerProperties>(),
+                 cert_verifier_.get(),
                  &crypto_client_stream_factory_,
                  &random_generator_, clock_, kDefaultMaxPacketSize,
                  SupportedVersions(GetParam()), true, true),
         host_port_pair_(kDefaultServerHostName, kDefaultServerPort),
         is_https_(false),
-        cert_verifier_(CertVerifier::CreateDefault()) {
+        privacy_mode_(kPrivacyModeDisabled) {
     factory_.set_require_confirmation(false);
   }
 
@@ -136,8 +134,8 @@ class QuicStreamFactoryTest : public ::testing::TestWithParam<QuicVersion> {
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(destination,
                               is_https_,
+                              privacy_mode_,
                               "GET",
-                              cert_verifier_.get(),
                               net_log_,
                               callback_.callback()));
 
@@ -181,10 +179,11 @@ class QuicStreamFactoryTest : public ::testing::TestWithParam<QuicVersion> {
   MockRandom random_generator_;
   QuicTestPacketMaker maker_;
   MockClock* clock_;  // Owned by factory_.
+  scoped_ptr<CertVerifier> cert_verifier_;
   QuicStreamFactory factory_;
   HostPortPair host_port_pair_;
   bool is_https_;
-  scoped_ptr<CertVerifier> cert_verifier_;
+  PrivacyMode privacy_mode_;
   BoundNetLog net_log_;
   TestCompletionCallback callback_;
 };
@@ -208,8 +207,8 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -227,8 +226,8 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_EQ(OK,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
   stream = request2.ReleaseStream();  // Will reset stream 5.
@@ -238,6 +237,70 @@ TEST_P(QuicStreamFactoryTest, Create) {
   EXPECT_TRUE(socket_data.at_write_eof());
 }
 
+TEST_P(QuicStreamFactoryTest, CreateZeroRtt) {
+  MockRead reads[] = {
+    MockRead(ASYNC, OK, 0)  // EOF
+  };
+  DeterministicSocketData socket_data(reads, arraysize(reads), NULL, 0);
+  socket_factory_.AddSocketDataProvider(&socket_data);
+  socket_data.StopAfter(1);
+
+  crypto_client_stream_factory_.set_handshake_mode(
+      MockCryptoClientStream::ZERO_RTT);
+  host_resolver_.set_synchronous_mode(true);
+  host_resolver_.rules()->AddIPLiteralRule(host_port_pair_.host(),
+                                           "192.168.0.1", "");
+
+  QuicStreamRequest request(&factory_);
+  EXPECT_EQ(OK,
+            request.Request(host_port_pair_,
+                            is_https_,
+                            privacy_mode_,
+                            "GET",
+                            net_log_,
+                            callback_.callback()));
+
+  scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
+  EXPECT_TRUE(stream.get());
+  EXPECT_TRUE(socket_data.at_read_eof());
+  EXPECT_TRUE(socket_data.at_write_eof());
+}
+
+TEST_P(QuicStreamFactoryTest, CreateZeroRttPost) {
+  MockRead reads[] = {
+    MockRead(ASYNC, OK, 0)  // EOF
+  };
+  DeterministicSocketData socket_data(reads, arraysize(reads), NULL, 0);
+  socket_factory_.AddSocketDataProvider(&socket_data);
+  socket_data.StopAfter(1);
+
+  crypto_client_stream_factory_.set_handshake_mode(
+      MockCryptoClientStream::ZERO_RTT);
+  host_resolver_.set_synchronous_mode(true);
+  host_resolver_.rules()->AddIPLiteralRule(host_port_pair_.host(),
+                                           "192.168.0.1", "");
+
+  QuicStreamRequest request(&factory_);
+  // Posts require handshake confirmation, so this will return asynchronously.
+  EXPECT_EQ(ERR_IO_PENDING,
+            request.Request(host_port_pair_,
+                            is_https_,
+                            privacy_mode_,
+                            "POST",
+                            net_log_,
+                            callback_.callback()));
+
+  // Confirm the handshake and verify that the stream is created.
+  crypto_client_stream_factory_.last_stream()->SendOnCryptoHandshakeEvent(
+      QuicSession::HANDSHAKE_CONFIRMED);
+
+  EXPECT_EQ(OK, callback_.WaitForResult());
+  scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
+  EXPECT_TRUE(stream.get());
+  EXPECT_TRUE(socket_data.at_read_eof());
+  EXPECT_TRUE(socket_data.at_write_eof());
+}
+
 TEST_P(QuicStreamFactoryTest, CreateHttpVsHttps) {
   MockRead reads[] = {
     MockRead(ASYNC, OK, 0)  // EOF
@@ -253,8 +316,8 @@ TEST_P(QuicStreamFactoryTest, CreateHttpVsHttps) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -266,8 +329,8 @@ TEST_P(QuicStreamFactoryTest, CreateHttpVsHttps) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              !is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -305,8 +368,8 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   EXPECT_EQ(OK,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
   scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
@@ -317,8 +380,8 @@ TEST_P(QuicStreamFactoryTest, Pooling) {
   EXPECT_EQ(OK,
             request2.Request(server2,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback.callback()));
   scoped_ptr<QuicHttpStream> stream2 = request2.ReleaseStream();
@@ -355,8 +418,8 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
   scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
@@ -367,8 +430,8 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request2.Request(server2,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback.callback()));
   scoped_ptr<QuicHttpStream> stream2 = request2.ReleaseStream();
@@ -386,8 +449,8 @@ TEST_P(QuicStreamFactoryTest, NoPoolingAfterGoAway) {
   EXPECT_EQ(OK,
             request3.Request(server2,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback3.callback()));
   scoped_ptr<QuicHttpStream> stream3 = request3.ReleaseStream();
@@ -434,8 +497,8 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   EXPECT_EQ(OK,
             request.Request(server1,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
   scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
@@ -446,8 +509,8 @@ TEST_P(QuicStreamFactoryTest, HttpsPooling) {
   EXPECT_EQ(OK,
             request2.Request(server2,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
   scoped_ptr<QuicHttpStream> stream2 = request2.ReleaseStream();
@@ -499,8 +562,8 @@ TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithCertMismatch) {
   EXPECT_EQ(OK,
             request.Request(server1,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
   scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
@@ -511,8 +574,8 @@ TEST_P(QuicStreamFactoryTest, NoHttpsPoolingWithCertMismatch) {
   EXPECT_EQ(OK,
             request2.Request(server2,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
   scoped_ptr<QuicHttpStream> stream2 = request2.ReleaseStream();
@@ -544,8 +607,8 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -569,8 +632,8 @@ TEST_P(QuicStreamFactoryTest, Goaway) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
   EXPECT_EQ(OK, callback_.WaitForResult());
@@ -617,8 +680,8 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
     QuicStreamRequest request(&factory_);
     int rv = request.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback());
     if (i == 0) {
@@ -638,8 +701,8 @@ TEST_P(QuicStreamFactoryTest, MaxOpenStream) {
   EXPECT_EQ(OK,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             CompletionCallback()));
   scoped_ptr<QuicHttpStream> stream = request.ReleaseStream();
@@ -669,8 +732,8 @@ TEST_P(QuicStreamFactoryTest, ResolutionErrorInCreate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -691,8 +754,8 @@ TEST_P(QuicStreamFactoryTest, ConnectErrorInCreate) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -713,8 +776,8 @@ TEST_P(QuicStreamFactoryTest, CancelCreate) {
     EXPECT_EQ(ERR_IO_PENDING,
               request.Request(host_port_pair_,
                               is_https_,
+                              privacy_mode_,
                               "GET",
-                              cert_verifier_.get(),
                               net_log_,
                               callback_.callback()));
   }
@@ -781,8 +844,8 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -805,8 +868,8 @@ TEST_P(QuicStreamFactoryTest, CloseAllSessions) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
 
@@ -845,8 +908,8 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -870,8 +933,8 @@ TEST_P(QuicStreamFactoryTest, OnIPAddressChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
 
@@ -910,8 +973,8 @@ TEST_P(QuicStreamFactoryTest, OnCertAdded) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -935,8 +998,8 @@ TEST_P(QuicStreamFactoryTest, OnCertAdded) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
 
@@ -975,8 +1038,8 @@ TEST_P(QuicStreamFactoryTest, OnCACertChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request.Request(host_port_pair_,
                             is_https_,
+                            privacy_mode_,
                             "GET",
-                            cert_verifier_.get(),
                             net_log_,
                             callback_.callback()));
 
@@ -1000,8 +1063,8 @@ TEST_P(QuicStreamFactoryTest, OnCACertChanged) {
   EXPECT_EQ(ERR_IO_PENDING,
             request2.Request(host_port_pair_,
                              is_https_,
+                             privacy_mode_,
                              "GET",
-                             cert_verifier_.get(),
                              net_log_,
                              callback_.callback()));
 
@@ -1027,13 +1090,11 @@ TEST_P(QuicStreamFactoryTest, SharedCryptoConfig) {
     r2_host_name.append(cannoncial_suffixes[i]);
 
     HostPortPair host_port_pair1(r1_host_name, 80);
-    QuicCryptoClientConfig* crypto_config1 =
-        QuicStreamFactoryPeer::GetOrCreateCryptoConfig(
-            &factory_, host_port_pair1, is_https_);
-    DCHECK(crypto_config1);
-    QuicSessionKey server_key1(host_port_pair1, is_https_);
+    QuicCryptoClientConfig* crypto_config =
+        QuicStreamFactoryPeer::GetCryptoConfig(&factory_);
+    QuicSessionKey server_key1(host_port_pair1, is_https_, privacy_mode_);
     QuicCryptoClientConfig::CachedState* cached1 =
-        crypto_config1->LookupOrCreate(server_key1);
+        crypto_config->LookupOrCreate(server_key1);
     EXPECT_FALSE(cached1->proof_valid());
     EXPECT_TRUE(cached1->source_address_token().empty());
 
@@ -1043,13 +1104,9 @@ TEST_P(QuicStreamFactoryTest, SharedCryptoConfig) {
     cached1->SetProofValid();
 
     HostPortPair host_port_pair2(r2_host_name, 80);
-    QuicCryptoClientConfig* crypto_config2 =
-        QuicStreamFactoryPeer::GetOrCreateCryptoConfig(
-            &factory_, host_port_pair2, is_https_);
-    DCHECK(crypto_config2);
-    QuicSessionKey server_key2(host_port_pair2, is_https_);
+    QuicSessionKey server_key2(host_port_pair2, is_https_, privacy_mode_);
     QuicCryptoClientConfig::CachedState* cached2 =
-        crypto_config2->LookupOrCreate(server_key2);
+        crypto_config->LookupOrCreate(server_key2);
     EXPECT_EQ(cached1->source_address_token(), cached2->source_address_token());
     EXPECT_TRUE(cached2->proof_valid());
   }
@@ -1067,13 +1124,11 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigWhenProofIsInvalid) {
     r4_host_name.append(cannoncial_suffixes[i]);
 
     HostPortPair host_port_pair1(r3_host_name, 80);
-    QuicCryptoClientConfig* crypto_config1 =
-        QuicStreamFactoryPeer::GetOrCreateCryptoConfig(
-            &factory_, host_port_pair1, is_https_);
-    DCHECK(crypto_config1);
-    QuicSessionKey server_key1(host_port_pair1, is_https_);
+    QuicCryptoClientConfig* crypto_config =
+        QuicStreamFactoryPeer::GetCryptoConfig(&factory_);
+    QuicSessionKey server_key1(host_port_pair1, is_https_, privacy_mode_);
     QuicCryptoClientConfig::CachedState* cached1 =
-        crypto_config1->LookupOrCreate(server_key1);
+        crypto_config->LookupOrCreate(server_key1);
     EXPECT_FALSE(cached1->proof_valid());
     EXPECT_TRUE(cached1->source_address_token().empty());
 
@@ -1083,13 +1138,9 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigWhenProofIsInvalid) {
     cached1->SetProofInvalid();
 
     HostPortPair host_port_pair2(r4_host_name, 80);
-    QuicCryptoClientConfig* crypto_config2 =
-        QuicStreamFactoryPeer::GetOrCreateCryptoConfig(
-            &factory_, host_port_pair2, is_https_);
-    DCHECK(crypto_config2);
-    QuicSessionKey server_key2(host_port_pair2, is_https_);
+    QuicSessionKey server_key2(host_port_pair2, is_https_, privacy_mode_);
     QuicCryptoClientConfig::CachedState* cached2 =
-        crypto_config2->LookupOrCreate(server_key2);
+        crypto_config->LookupOrCreate(server_key2);
     EXPECT_NE(cached1->source_address_token(), cached2->source_address_token());
     EXPECT_TRUE(cached2->source_address_token().empty());
     EXPECT_FALSE(cached2->proof_valid());
diff --git a/net/quic/test_tools/crypto_test_utils.cc b/net/quic/test_tools/crypto_test_utils.cc
index c3ccf722a3..45fc5a02e8 100644
--- a/net/quic/test_tools/crypto_test_utils.cc
+++ b/net/quic/test_tools/crypto_test_utils.cc
@@ -167,7 +167,7 @@ int CryptoTestUtils::HandshakeWithFakeClient(
     QuicCryptoServerStream* server,
     const FakeClientOptions& options) {
   PacketSavingConnection* client_conn = new PacketSavingConnection(false);
-  TestSession client_session(client_conn, DefaultQuicConfig());
+  TestClientSession client_session(client_conn, DefaultQuicConfig());
   QuicCryptoClientConfig crypto_config;
 
   client_session.config()->SetDefaults();
@@ -179,7 +179,8 @@ int CryptoTestUtils::HandshakeWithFakeClient(
   if (options.channel_id_enabled) {
     crypto_config.SetChannelIDSigner(ChannelIDSignerForTesting());
   }
-  QuicSessionKey server_key(kServerHostname, kServerPort, false);
+  QuicSessionKey server_key(kServerHostname, kServerPort, false,
+                            kPrivacyModeDisabled);
   QuicCryptoClientStream client(server_key, &client_session, NULL,
                                 &crypto_config);
   client_session.SetCryptoStream(&client);
diff --git a/net/quic/test_tools/crypto_test_utils.h b/net/quic/test_tools/crypto_test_utils.h
index 65ba9ee900..1d26dc7e7e 100644
--- a/net/quic/test_tools/crypto_test_utils.h
+++ b/net/quic/test_tools/crypto_test_utils.h
@@ -23,6 +23,7 @@ class ChannelIDSigner;
 class CommonCertSets;
 class ProofSource;
 class ProofVerifier;
+class ProofVerifyContext;
 class QuicClock;
 class QuicConfig;
 class QuicCryptoClientStream;
@@ -96,6 +97,10 @@ class CryptoTestUtils {
   // Returns a |ProofVerifier| that uses the QUIC testing root CA.
   static ProofVerifier* ProofVerifierForTesting();
 
+  // Returns a |ProofVerifyContext| that must be used with the verifier
+  // returned by |ProofVerifierForTesting|.
+  static ProofVerifyContext* ProofVerifyContextForTesting();
+
   // MockCommonCertSets returns a CommonCertSets that contains a single set with
   // hash |hash|, consisting of the certificate |cert| at index |index|.
   static CommonCertSets* MockCommonCertSets(base::StringPiece cert,
diff --git a/net/quic/test_tools/crypto_test_utils_chromium.cc b/net/quic/test_tools/crypto_test_utils_chromium.cc
index 8aaef425da..eb4fec03af 100644
--- a/net/quic/test_tools/crypto_test_utils_chromium.cc
+++ b/net/quic/test_tools/crypto_test_utils_chromium.cc
@@ -22,7 +22,7 @@ class TestProofVerifierChromium : public ProofVerifierChromium {
  public:
   TestProofVerifierChromium(CertVerifier* cert_verifier,
                             const std::string& cert_file)
-      : ProofVerifierChromium(cert_verifier, BoundNetLog()),
+      : ProofVerifierChromium(cert_verifier),
         cert_verifier_(cert_verifier) {
     // Load and install the root for the validated chain.
     scoped_refptr<X509Certificate> root_cert =
@@ -48,6 +48,11 @@ ProofVerifier* CryptoTestUtils::ProofVerifierForTesting() {
   return proof_verifier;
 }
 
+// static
+ProofVerifyContext* CryptoTestUtils::ProofVerifyContextForTesting() {
+  return new ProofVerifyContextChromium(BoundNetLog());
+}
+
 }  // namespace test
 
 }  // namespace net
diff --git a/net/quic/test_tools/mock_crypto_client_stream.cc b/net/quic/test_tools/mock_crypto_client_stream.cc
index b0112d5939..a5ff1734be 100644
--- a/net/quic/test_tools/mock_crypto_client_stream.cc
+++ b/net/quic/test_tools/mock_crypto_client_stream.cc
@@ -4,6 +4,7 @@
 
 #include "net/quic/test_tools/mock_crypto_client_stream.h"
 
+#include "net/quic/quic_client_session_base.h"
 #include "net/quic/quic_session_key.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -11,12 +12,13 @@ namespace net {
 
 MockCryptoClientStream::MockCryptoClientStream(
     const QuicSessionKey& server_key,
-    QuicSession* session,
-    QuicCryptoClientStream::Visitor* visitor,
+    QuicClientSessionBase* session,
+    ProofVerifyContext* verify_context,
     QuicCryptoClientConfig* crypto_config,
     HandshakeMode handshake_mode,
     const ProofVerifyDetails* proof_verify_details)
-    : QuicCryptoClientStream(server_key, session, visitor, crypto_config),
+    : QuicCryptoClientStream(server_key, session, verify_context,
+                             crypto_config),
       handshake_mode_(handshake_mode),
       proof_verify_details_(proof_verify_details) {
 }
@@ -43,7 +45,7 @@ bool MockCryptoClientStream::CryptoConnect() {
       encryption_established_ = true;
       handshake_confirmed_ = true;
       if (proof_verify_details_) {
-        visitor()->OnProofVerifyDetailsAvailable(*proof_verify_details_);
+        client_session()->OnProofVerifyDetailsAvailable(*proof_verify_details_);
       }
       SetConfigNegotiated();
       session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
@@ -90,4 +92,8 @@ void MockCryptoClientStream::SetConfigNegotiated() {
   ASSERT_TRUE(session()->config()->negotiated());
 }
 
+QuicClientSessionBase* MockCryptoClientStream::client_session() {
+  return reinterpret_cast<QuicClientSessionBase*>(session());
+}
+
 }  // namespace net
diff --git a/net/quic/test_tools/mock_crypto_client_stream.h b/net/quic/test_tools/mock_crypto_client_stream.h
index 444f88dd1b..85679451b8 100644
--- a/net/quic/test_tools/mock_crypto_client_stream.h
+++ b/net/quic/test_tools/mock_crypto_client_stream.h
@@ -37,8 +37,8 @@ class MockCryptoClientStream : public QuicCryptoClientStream {
 
   MockCryptoClientStream(
       const QuicSessionKey& server_key,
-      QuicSession* session,
-      QuicCryptoClientStream::Visitor* visitor,
+      QuicClientSessionBase* session,
+      ProofVerifyContext* verify_context,
       QuicCryptoClientConfig* crypto_config,
       HandshakeMode handshake_mode,
       const ProofVerifyDetails* proof_verify_details_);
@@ -59,6 +59,7 @@ class MockCryptoClientStream : public QuicCryptoClientStream {
 
  private:
   void SetConfigNegotiated();
+  QuicClientSessionBase* client_session();
 
   const ProofVerifyDetails* proof_verify_details_;
 };
diff --git a/net/quic/test_tools/mock_crypto_client_stream_factory.cc b/net/quic/test_tools/mock_crypto_client_stream_factory.cc
index 686fd5641e..83dac36928 100644
--- a/net/quic/test_tools/mock_crypto_client_stream_factory.cc
+++ b/net/quic/test_tools/mock_crypto_client_stream_factory.cc
@@ -25,7 +25,7 @@ MockCryptoClientStreamFactory::CreateQuicCryptoClientStream(
     QuicClientSession* session,
     QuicCryptoClientConfig* crypto_config) {
   last_stream_ = new MockCryptoClientStream(
-      server_key, session, session, crypto_config, handshake_mode_,
+      server_key, session, NULL, crypto_config, handshake_mode_,
       proof_verify_details_);
   return last_stream_;
 }
diff --git a/net/quic/test_tools/quic_test_utils.cc b/net/quic/test_tools/quic_test_utils.cc
index c3e20ae5ef..7d24b2f3f9 100644
--- a/net/quic/test_tools/quic_test_utils.cc
+++ b/net/quic/test_tools/quic_test_utils.cc
@@ -23,6 +23,7 @@ using std::max;
 using std::min;
 using std::string;
 using testing::_;
+using testing::AnyNumber;
 
 namespace net {
 namespace test {
@@ -364,6 +365,23 @@ QuicCryptoStream* TestSession::GetCryptoStream() {
   return crypto_stream_;
 }
 
+TestClientSession::TestClientSession(QuicConnection* connection,
+                                     const QuicConfig& config)
+    : QuicClientSessionBase(connection, config),
+      crypto_stream_(NULL) {
+    EXPECT_CALL(*this, OnProofValid(_)).Times(AnyNumber());
+}
+
+TestClientSession::~TestClientSession() {}
+
+void TestClientSession::SetCryptoStream(QuicCryptoStream* stream) {
+  crypto_stream_ = stream;
+}
+
+QuicCryptoStream* TestClientSession::GetCryptoStream() {
+  return crypto_stream_;
+}
+
 MockPacketWriter::MockPacketWriter() {
 }
 
diff --git a/net/quic/test_tools/quic_test_utils.h b/net/quic/test_tools/quic_test_utils.h
index f6e188acc5..1cca4e860e 100644
--- a/net/quic/test_tools/quic_test_utils.h
+++ b/net/quic/test_tools/quic_test_utils.h
@@ -13,7 +13,9 @@
 #include "base/strings/string_piece.h"
 #include "net/quic/congestion_control/loss_detection_interface.h"
 #include "net/quic/congestion_control/send_algorithm_interface.h"
+#include "net/quic/crypto/quic_crypto_client_config.h"
 #include "net/quic/quic_ack_notifier.h"
+#include "net/quic/quic_client_session_base.h"
 #include "net/quic/quic_connection.h"
 #include "net/quic/quic_framer.h"
 #include "net/quic/quic_session.h"
@@ -396,13 +398,37 @@ class TestSession : public QuicSession {
 
   void SetCryptoStream(QuicCryptoStream* stream);
 
-  virtual QuicCryptoStream* GetCryptoStream();
+  virtual QuicCryptoStream* GetCryptoStream() OVERRIDE;
 
  private:
   QuicCryptoStream* crypto_stream_;
   DISALLOW_COPY_AND_ASSIGN(TestSession);
 };
 
+class TestClientSession : public QuicClientSessionBase {
+ public:
+  TestClientSession(QuicConnection* connection, const QuicConfig& config);
+  virtual ~TestClientSession();
+
+  // QuicClientSessionBase
+  MOCK_METHOD1(OnProofValid,
+               void(const QuicCryptoClientConfig::CachedState& cached));
+  MOCK_METHOD1(OnProofVerifyDetailsAvailable,
+               void(const ProofVerifyDetails& verify_details));
+
+  // TestClientSession
+  MOCK_METHOD1(CreateIncomingDataStream, QuicDataStream*(QuicStreamId id));
+  MOCK_METHOD0(CreateOutgoingDataStream, QuicDataStream*());
+
+  void SetCryptoStream(QuicCryptoStream* stream);
+
+  virtual QuicCryptoStream* GetCryptoStream() OVERRIDE;
+
+ private:
+  QuicCryptoStream* crypto_stream_;
+  DISALLOW_COPY_AND_ASSIGN(TestClientSession);
+};
+
 class MockPacketWriter : public QuicPacketWriter {
  public:
   MockPacketWriter();
diff --git a/net/socket/client_socket_pool_base.cc b/net/socket/client_socket_pool_base.cc
index e20b355daf..9e1abf482a 100644
--- a/net/socket/client_socket_pool_base.cc
+++ b/net/socket/client_socket_pool_base.cc
@@ -448,7 +448,7 @@ bool ClientSocketPoolBaseHelper::AssignIdleSocketToRequest(
   //   the |idle_socket_it| will be set to the newest used idle socket.
   for (std::list<IdleSocket>::iterator it = idle_sockets->begin();
        it != idle_sockets->end();) {
-    if (!it->socket->IsConnectedAndIdle()) {
+    if (!it->IsUsable()) {
       DecrementIdleCount();
       delete it->socket;
       it = idle_sockets->erase(it);
@@ -648,15 +648,19 @@ base::DictionaryValue* ClientSocketPoolBaseHelper::GetInfoAsValue(
   return dict;
 }
 
+bool ClientSocketPoolBaseHelper::IdleSocket::IsUsable() const {
+  if (socket->WasEverUsed())
+    return socket->IsConnectedAndIdle();
+  return socket->IsConnected();
+}
+
 bool ClientSocketPoolBaseHelper::IdleSocket::ShouldCleanup(
     base::TimeTicks now,
     base::TimeDelta timeout) const {
   bool timed_out = (now - start_time) >= timeout;
   if (timed_out)
     return true;
-  if (socket->WasEverUsed())
-    return !socket->IsConnectedAndIdle();
-  return !socket->IsConnected();
+  return !IsUsable();
 }
 
 void ClientSocketPoolBaseHelper::CleanupIdleSockets(bool force) {
diff --git a/net/socket/client_socket_pool_base.h b/net/socket/client_socket_pool_base.h
index 8a0a1f3c10..8079cd4e5c 100644
--- a/net/socket/client_socket_pool_base.h
+++ b/net/socket/client_socket_pool_base.h
@@ -339,14 +339,19 @@ class NET_EXPORT_PRIVATE ClientSocketPoolBaseHelper
   struct IdleSocket {
     IdleSocket() : socket(NULL) {}
 
+    // An idle socket can't be used if it is disconnected or has been used
+    // before and has received data unexpectedly (hence no longer idle).  The
+    // unread data would be mistaken for the beginning of the next response if
+    // we were to use the socket for a new request.
+    //
+    // Note that a socket that has never been used before (like a preconnected
+    // socket) may be used even with unread data.  This may be, e.g., a SPDY
+    // SETTINGS frame.
+    bool IsUsable() const;
+
     // An idle socket should be removed if it can't be reused, or has been idle
     // for too long. |now| is the current time value (TimeTicks::Now()).
     // |timeout| is the length of time to wait before timing out an idle socket.
-    //
-    // An idle socket can't be reused if it is disconnected or has received
-    // data unexpectedly (hence no longer idle).  The unread data would be
-    // mistaken for the beginning of the next response if we were to reuse the
-    // socket for a new request.
     bool ShouldCleanup(base::TimeTicks now, base::TimeDelta timeout) const;
 
     StreamSocket* socket;
diff --git a/net/socket/client_socket_pool_base_unittest.cc b/net/socket/client_socket_pool_base_unittest.cc
index 46f4e40c0d..605af728c5 100644
--- a/net/socket/client_socket_pool_base_unittest.cc
+++ b/net/socket/client_socket_pool_base_unittest.cc
@@ -116,14 +116,26 @@ class MockClientSocket : public StreamSocket {
  public:
   explicit MockClientSocket(net::NetLog* net_log)
       : connected_(false),
+        has_unread_data_(false),
         net_log_(BoundNetLog::Make(net_log, net::NetLog::SOURCE_SOCKET)),
         was_used_to_convey_data_(false) {
   }
 
+  // Sets whether the socket has unread data. If true, the next call to Read()
+  // will return 1 byte and IsConnectedAndIdle() will return false.
+  void set_has_unread_data(bool has_unread_data) {
+    has_unread_data_ = has_unread_data;
+  }
+
   // Socket implementation.
   virtual int Read(
       IOBuffer* /* buf */, int len,
       const CompletionCallback& /* callback */) OVERRIDE {
+    if (has_unread_data_ && len > 0) {
+      has_unread_data_ = false;
+      was_used_to_convey_data_ = true;
+      return 1;
+    }
     return ERR_UNEXPECTED;
   }
 
@@ -144,7 +156,9 @@ class MockClientSocket : public StreamSocket {
 
   virtual void Disconnect() OVERRIDE { connected_ = false; }
   virtual bool IsConnected() const OVERRIDE { return connected_; }
-  virtual bool IsConnectedAndIdle() const OVERRIDE { return connected_; }
+  virtual bool IsConnectedAndIdle() const OVERRIDE {
+    return connected_ && !has_unread_data_;
+  }
 
   virtual int GetPeerAddress(IPEndPoint* /* address */) const OVERRIDE {
     return ERR_UNEXPECTED;
@@ -176,6 +190,7 @@ class MockClientSocket : public StreamSocket {
 
  private:
   bool connected_;
+  bool has_unread_data_;
   BoundNetLog net_log_;
   bool was_used_to_convey_data_;
 
@@ -245,6 +260,7 @@ class TestConnectJob : public ConnectJob {
     kMockPendingRecoverableJob,
     kMockAdditionalErrorStateJob,
     kMockPendingAdditionalErrorStateJob,
+    kMockUnreadDataJob,
   };
 
   // The kMockPendingJob uses a slight delay before allowing the connect
@@ -372,6 +388,12 @@ class TestConnectJob : public ConnectJob {
                        false /* recoverable */),
             base::TimeDelta::FromMilliseconds(2));
         return ERR_IO_PENDING;
+      case kMockUnreadDataJob: {
+        int ret = DoConnect(true /* successful */, false /* sync */,
+                            false /* recoverable */);
+        static_cast<MockClientSocket*>(socket())->set_has_unread_data(true);
+        return ret;
+      }
       default:
         NOTREACHED();
         SetSocket(scoped_ptr<StreamSocket>());
@@ -3541,7 +3563,7 @@ TEST_F(ClientSocketPoolBaseTest, PreconnectJobsTakenByNormalRequests) {
 
   ASSERT_EQ(OK, callback1.WaitForResult());
 
-  // Make sure if a preconneced socket is not fully connected when a request
+  // Make sure if a preconnected socket is not fully connected when a request
   // starts, it has a connect start time.
   TestLoadTimingInfoConnectedNotReused(handle1);
   handle1.Reset();
@@ -3720,6 +3742,46 @@ TEST_F(ClientSocketPoolBaseTest, PreconnectWithBackupJob) {
   EXPECT_EQ(1, pool_->NumActiveSocketsInGroup("a"));
 }
 
+// Tests that a preconnect that starts out with unread data can still be used.
+// http://crbug.com/334467
+TEST_F(ClientSocketPoolBaseTest, PreconnectWithUnreadData) {
+  CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
+  connect_job_factory_->set_job_type(TestConnectJob::kMockUnreadDataJob);
+
+  pool_->RequestSockets("a", &params_, 1, BoundNetLog());
+
+  ASSERT_TRUE(pool_->HasGroup("a"));
+  EXPECT_EQ(0, pool_->NumConnectJobsInGroup("a"));
+  EXPECT_EQ(0, pool_->NumUnassignedConnectJobsInGroup("a"));
+  EXPECT_EQ(1, pool_->IdleSocketCountInGroup("a"));
+
+  // Fail future jobs to be sure that handle receives the preconnected socket
+  // rather than closing it and making a new one.
+  connect_job_factory_->set_job_type(TestConnectJob::kMockFailingJob);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_EQ(OK, handle.Init("a",
+                             params_,
+                             DEFAULT_PRIORITY,
+                             callback.callback(),
+                             pool_.get(),
+                             BoundNetLog()));
+
+  ASSERT_TRUE(pool_->HasGroup("a"));
+  EXPECT_EQ(0, pool_->NumConnectJobsInGroup("a"));
+  EXPECT_EQ(0, pool_->NumUnassignedConnectJobsInGroup("a"));
+  EXPECT_EQ(0, pool_->IdleSocketCountInGroup("a"));
+
+  // Drain the pending read.
+  EXPECT_EQ(1, handle.socket()->Read(NULL, 1, CompletionCallback()));
+
+  TestLoadTimingInfoConnectedReused(handle);
+  handle.Reset();
+
+  // The socket should be usable now that it's idle again.
+  EXPECT_EQ(1, pool_->IdleSocketCountInGroup("a"));
+}
+
 class MockLayeredPool : public HigherLayeredPool {
  public:
   MockLayeredPool(TestClientSocketPool* pool,
diff --git a/net/socket/client_socket_pool_manager.cc b/net/socket/client_socket_pool_manager.cc
index 24d6b70ced..7ade7318c9 100644
--- a/net/socket/client_socket_pool_manager.cc
+++ b/net/socket/client_socket_pool_manager.cc
@@ -132,8 +132,7 @@ int InitSocketPoolHelper(const GURL& request_url,
     // should be the same for all connections, whereas version_max may
     // change for version fallbacks.
     std::string prefix = "ssl/";
-    if (ssl_config_for_origin.version_max !=
-        SSLConfigService::default_version_max()) {
+    if (ssl_config_for_origin.version_max != net::kDefaultSSLVersionMax) {
       switch (ssl_config_for_origin.version_max) {
         case SSL_PROTOCOL_VERSION_TLS1_2:
           prefix = "ssl(max:3.3)/";
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index 20911d5a67..7b068545a5 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -357,12 +357,16 @@ int MapNSSError(PRErrorCode err) {
       return ERR_SSL_INAPPROPRIATE_FALLBACK;
 
     default: {
+      const char* err_name = PR_ErrorToName(err);
+      if (err_name == NULL)
+        err_name = "";
       if (IS_SSL_ERROR(err)) {
-        LOG(WARNING) << "Unknown SSL error " << err
+        LOG(WARNING) << "Unknown SSL error " << err << " (" << err_name << ")"
                      << " mapped to net::ERR_SSL_PROTOCOL_ERROR";
         return ERR_SSL_PROTOCOL_ERROR;
       }
-      LOG(WARNING) << "Unknown error " << err << " mapped to net::ERR_FAILED";
+      LOG(WARNING) << "Unknown error " << err << " (" << err_name << ")"
+                   << " mapped to net::ERR_FAILED";
       return ERR_FAILED;
     }
   }
diff --git a/net/socket/socks5_client_socket.cc b/net/socket/socks5_client_socket.cc
index 004b67c669..777ce0c26a 100644
--- a/net/socket/socks5_client_socket.cc
+++ b/net/socket/socks5_client_socket.cc
@@ -5,6 +5,7 @@
 #include "net/socket/socks5_client_socket.h"
 
 #include "base/basictypes.h"
+#include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/debug/trace_event.h"
 #include "base/format_macros.h"
@@ -38,6 +39,7 @@ SOCKS5ClientSocket::SOCKS5ClientSocket(
       bytes_sent_(0),
       bytes_received_(0),
       read_header_size(kReadHeaderSize),
+      was_ever_used_(false),
       host_request_info_(req_info),
       net_log_(transport_->socket()->NetLog()) {
 }
@@ -109,11 +111,7 @@ void SOCKS5ClientSocket::SetOmniboxSpeculation() {
 }
 
 bool SOCKS5ClientSocket::WasEverUsed() const {
-  if (transport_.get() && transport_->socket()) {
-    return transport_->socket()->WasEverUsed();
-  }
-  NOTREACHED();
-  return false;
+  return was_ever_used_;
 }
 
 bool SOCKS5ClientSocket::UsingTCPFastOpen() const {
@@ -156,19 +154,33 @@ int SOCKS5ClientSocket::Read(IOBuffer* buf, int buf_len,
   DCHECK(completed_handshake_);
   DCHECK_EQ(STATE_NONE, next_state_);
   DCHECK(user_callback_.is_null());
-
-  return transport_->socket()->Read(buf, buf_len, callback);
+  DCHECK(!callback.is_null());
+
+  int rv = transport_->socket()->Read(
+      buf, buf_len,
+      base::Bind(&SOCKS5ClientSocket::OnReadWriteComplete,
+                 base::Unretained(this), callback));
+  if (rv > 0)
+    was_ever_used_ = true;
+  return rv;
 }
 
 // Write is called by the transport layer. This can only be done if the
 // SOCKS handshake is complete.
 int SOCKS5ClientSocket::Write(IOBuffer* buf, int buf_len,
-                             const CompletionCallback& callback) {
+                              const CompletionCallback& callback) {
   DCHECK(completed_handshake_);
   DCHECK_EQ(STATE_NONE, next_state_);
   DCHECK(user_callback_.is_null());
-
-  return transport_->socket()->Write(buf, buf_len, callback);
+  DCHECK(!callback.is_null());
+
+  int rv = transport_->socket()->Write(
+      buf, buf_len,
+      base::Bind(&SOCKS5ClientSocket::OnReadWriteComplete,
+                 base::Unretained(this), callback));
+  if (rv > 0)
+    was_ever_used_ = true;
+  return rv;
 }
 
 bool SOCKS5ClientSocket::SetReceiveBufferSize(int32 size) {
@@ -185,9 +197,7 @@ void SOCKS5ClientSocket::DoCallback(int result) {
 
   // Since Run() may result in Read being called,
   // clear user_callback_ up front.
-  CompletionCallback c = user_callback_;
-  user_callback_.Reset();
-  c.Run(result);
+  base::ResetAndReturn(&user_callback_).Run(result);
 }
 
 void SOCKS5ClientSocket::OnIOComplete(int result) {
@@ -199,6 +209,16 @@ void SOCKS5ClientSocket::OnIOComplete(int result) {
   }
 }
 
+void SOCKS5ClientSocket::OnReadWriteComplete(const CompletionCallback& callback,
+                                             int result) {
+  DCHECK_NE(ERR_IO_PENDING, result);
+  DCHECK(!callback.is_null());
+
+  if (result > 0)
+    was_ever_used_ = true;
+  callback.Run(result);
+}
+
 int SOCKS5ClientSocket::DoLoop(int last_io_result) {
   DCHECK_NE(next_state_, STATE_NONE);
   int rv = last_io_result;
diff --git a/net/socket/socks5_client_socket.h b/net/socket/socks5_client_socket.h
index 45216244f1..75f75310d7 100644
--- a/net/socket/socks5_client_socket.h
+++ b/net/socket/socks5_client_socket.h
@@ -99,6 +99,7 @@ class NET_EXPORT_PRIVATE SOCKS5ClientSocket : public StreamSocket {
 
   void DoCallback(int result);
   void OnIOComplete(int result);
+  void OnReadWriteComplete(const CompletionCallback& callback, int result);
 
   int DoLoop(int last_io_result);
   int DoHandshakeRead();
@@ -143,6 +144,8 @@ class NET_EXPORT_PRIVATE SOCKS5ClientSocket : public StreamSocket {
 
   size_t read_header_size;
 
+  bool was_ever_used_;
+
   HostResolver::RequestInfo host_request_info_;
 
   BoundNetLog net_log_;
diff --git a/net/socket/socks_client_socket.cc b/net/socket/socks_client_socket.cc
index 67089589cc..654509210a 100644
--- a/net/socket/socks_client_socket.cc
+++ b/net/socket/socks_client_socket.cc
@@ -6,6 +6,7 @@
 
 #include "base/basictypes.h"
 #include "base/bind.h"
+#include "base/callback_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/sys_byteorder.h"
 #include "net/base/io_buffer.h"
@@ -65,6 +66,7 @@ SOCKSClientSocket::SOCKSClientSocket(
       completed_handshake_(false),
       bytes_sent_(0),
       bytes_received_(0),
+      was_ever_used_(false),
       host_resolver_(host_resolver),
       host_request_info_(req_info),
       priority_(priority),
@@ -137,11 +139,7 @@ void SOCKSClientSocket::SetOmniboxSpeculation() {
 }
 
 bool SOCKSClientSocket::WasEverUsed() const {
-  if (transport_.get() && transport_->socket()) {
-    return transport_->socket()->WasEverUsed();
-  }
-  NOTREACHED();
-  return false;
+  return was_ever_used_;
 }
 
 bool SOCKSClientSocket::UsingTCPFastOpen() const {
@@ -184,8 +182,15 @@ int SOCKSClientSocket::Read(IOBuffer* buf, int buf_len,
   DCHECK(completed_handshake_);
   DCHECK_EQ(STATE_NONE, next_state_);
   DCHECK(user_callback_.is_null());
-
-  return transport_->socket()->Read(buf, buf_len, callback);
+  DCHECK(!callback.is_null());
+
+  int rv = transport_->socket()->Read(
+      buf, buf_len,
+      base::Bind(&SOCKSClientSocket::OnReadWriteComplete,
+                 base::Unretained(this), callback));
+  if (rv > 0)
+    was_ever_used_ = true;
+  return rv;
 }
 
 // Write is called by the transport layer. This can only be done if the
@@ -195,8 +200,15 @@ int SOCKSClientSocket::Write(IOBuffer* buf, int buf_len,
   DCHECK(completed_handshake_);
   DCHECK_EQ(STATE_NONE, next_state_);
   DCHECK(user_callback_.is_null());
-
-  return transport_->socket()->Write(buf, buf_len, callback);
+  DCHECK(!callback.is_null());
+
+  int rv = transport_->socket()->Write(
+      buf, buf_len,
+      base::Bind(&SOCKSClientSocket::OnReadWriteComplete,
+                 base::Unretained(this), callback));
+  if (rv > 0)
+    was_ever_used_ = true;
+  return rv;
 }
 
 bool SOCKSClientSocket::SetReceiveBufferSize(int32 size) {
@@ -213,10 +225,8 @@ void SOCKSClientSocket::DoCallback(int result) {
 
   // Since Run() may result in Read being called,
   // clear user_callback_ up front.
-  CompletionCallback c = user_callback_;
-  user_callback_.Reset();
   DVLOG(1) << "Finished setting up SOCKS handshake";
-  c.Run(result);
+  base::ResetAndReturn(&user_callback_).Run(result);
 }
 
 void SOCKSClientSocket::OnIOComplete(int result) {
@@ -228,6 +238,16 @@ void SOCKSClientSocket::OnIOComplete(int result) {
   }
 }
 
+void SOCKSClientSocket::OnReadWriteComplete(const CompletionCallback& callback,
+                                            int result) {
+  DCHECK_NE(ERR_IO_PENDING, result);
+  DCHECK(!callback.is_null());
+
+  if (result > 0)
+    was_ever_used_ = true;
+  callback.Run(result);
+}
+
 int SOCKSClientSocket::DoLoop(int last_io_result) {
   DCHECK_NE(next_state_, STATE_NONE);
   int rv = last_io_result;
diff --git a/net/socket/socks_client_socket.h b/net/socket/socks_client_socket.h
index d4f058a62b..be05ce0fad 100644
--- a/net/socket/socks_client_socket.h
+++ b/net/socket/socks_client_socket.h
@@ -84,6 +84,7 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
 
   void DoCallback(int result);
   void OnIOComplete(int result);
+  void OnReadWriteComplete(const CompletionCallback& callback, int result);
 
   int DoLoop(int last_io_result);
   int DoResolveHost();
@@ -100,7 +101,7 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
 
   State next_state_;
 
-  // Stores the callback to the layer above, called on completing Connect().
+  // Stores the callbacks to the layer above, called on completing Connect().
   CompletionCallback user_callback_;
 
   // This IOBuffer is used by the class to read and write
@@ -120,6 +121,9 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
   size_t bytes_sent_;
   size_t bytes_received_;
 
+  // This becomes true when the socket is used to send or receive data.
+  bool was_ever_used_;
+
   // Used to resolve the hostname to which the SOCKS proxy will connect.
   SingleRequestHostResolver host_resolver_;
   AddressList addresses_;
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index ca5a6891b8..b3c8e0ee7b 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -330,7 +330,6 @@ class PeerCertificateChain {
   std::vector<base::StringPiece> AsStringPieceVector() const;
 
   bool empty() const { return certs_.empty(); }
-  size_t size() const { return certs_.size(); }
 
   CERTCertificate* operator[](size_t index) const {
     DCHECK_LT(index, certs_.size());
@@ -636,9 +635,10 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
   int Write(IOBuffer* buf, int buf_len, const CompletionCallback& callback);
 
   // Called on the network task runner.
-  bool IsConnected();
-  bool HasPendingAsyncOperation();
-  bool HasUnhandledReceivedData();
+  bool IsConnected() const;
+  bool HasPendingAsyncOperation() const;
+  bool HasUnhandledReceivedData() const;
+  bool WasEverUsed() const;
 
   // Called on the network task runner.
   // Causes the associated SSL/TLS session ID to be added to NSS's session
@@ -841,6 +841,10 @@ class SSLClientSocketNSS::Core : public base::RefCountedThreadSafe<Core> {
   bool nss_waiting_write_;
   bool nss_is_closed_;
 
+  // Set when Read() or Write() successfully reads or writes data to or from the
+  // network.
+  bool was_ever_used_;
+
   ////////////////////////////////////////////////////////////////////////////
   // Members that are ONLY accessed on the NSS task runner:
   ////////////////////////////////////////////////////////////////////////////
@@ -936,6 +940,7 @@ SSLClientSocketNSS::Core::Core(
       nss_waiting_read_(false),
       nss_waiting_write_(false),
       nss_is_closed_(false),
+      was_ever_used_(false),
       host_and_port_(host_and_port),
       ssl_config_(ssl_config),
       nss_fd_(NULL),
@@ -1148,8 +1153,11 @@ int SSLClientSocketNSS::Core::Read(IOBuffer* buf, int buf_len,
       return ERR_IO_PENDING;
     } else {
       DCHECK(!nss_waiting_read_);
-      if (rv <= 0)
+      if (rv <= 0) {
         nss_is_closed_ = true;
+      } else {
+        was_ever_used_ = true;
+      }
     }
   }
 
@@ -1202,29 +1210,37 @@ int SSLClientSocketNSS::Core::Write(IOBuffer* buf, int buf_len,
       return ERR_IO_PENDING;
     } else {
       DCHECK(!nss_waiting_write_);
-      if (rv < 0)
+      if (rv < 0) {
         nss_is_closed_ = true;
+      } else if (rv > 0) {
+        was_ever_used_ = true;
+      }
     }
   }
 
   return rv;
 }
 
-bool SSLClientSocketNSS::Core::IsConnected() {
+bool SSLClientSocketNSS::Core::IsConnected() const {
   DCHECK(OnNetworkTaskRunner());
   return !nss_is_closed_;
 }
 
-bool SSLClientSocketNSS::Core::HasPendingAsyncOperation() {
+bool SSLClientSocketNSS::Core::HasPendingAsyncOperation() const {
   DCHECK(OnNetworkTaskRunner());
   return nss_waiting_read_ || nss_waiting_write_;
 }
 
-bool SSLClientSocketNSS::Core::HasUnhandledReceivedData() {
+bool SSLClientSocketNSS::Core::HasUnhandledReceivedData() const {
   DCHECK(OnNetworkTaskRunner());
   return unhandled_buffer_size_ != 0;
 }
 
+bool SSLClientSocketNSS::Core::WasEverUsed() const {
+  DCHECK(OnNetworkTaskRunner());
+  return was_ever_used_;
+}
+
 void SSLClientSocketNSS::Core::CacheSessionIfNecessary() {
   // TODO(rsleevi): This should occur on the NSS task runner, due to the use of
   // nss_fd_. However, it happens on the network task runner in order to match
@@ -2656,16 +2672,22 @@ void SSLClientSocketNSS::Core::DidNSSRead(int result) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK(nss_waiting_read_);
   nss_waiting_read_ = false;
-  if (result <= 0)
+  if (result <= 0) {
     nss_is_closed_ = true;
+  } else {
+    was_ever_used_ = true;
+  }
 }
 
 void SSLClientSocketNSS::Core::DidNSSWrite(int result) {
   DCHECK(OnNetworkTaskRunner());
   DCHECK(nss_waiting_write_);
   nss_waiting_write_ = false;
-  if (result < 0)
+  if (result < 0) {
     nss_is_closed_ = true;
+  } else if (result > 0) {
+    was_ever_used_ = true;
+  }
 }
 
 void SSLClientSocketNSS::Core::BufferSendComplete(int result) {
@@ -3025,11 +3047,9 @@ void SSLClientSocketNSS::SetOmniboxSpeculation() {
 }
 
 bool SSLClientSocketNSS::WasEverUsed() const {
-  if (transport_.get() && transport_->socket()) {
-    return transport_->socket()->WasEverUsed();
-  }
-  NOTREACHED();
-  return false;
+  DCHECK(core_.get());
+
+  return core_->WasEverUsed();
 }
 
 bool SSLClientSocketNSS::UsingTCPFastOpen() const {
@@ -3243,7 +3263,7 @@ int SSLClientSocketNSS::InitializeSSLPeerName() {
 
   SockaddrStorage storage;
   if (!peer_address.ToSockAddr(storage.addr, &storage.addr_len))
-    return ERR_UNEXPECTED;
+    return ERR_ADDRESS_INVALID;
 
   PRNetAddr peername;
   memset(&peername, 0, sizeof(peername));
diff --git a/net/socket/ssl_client_socket_openssl.cc b/net/socket/ssl_client_socket_openssl.cc
index f97c4697cf..ef3b130c5d 100644
--- a/net/socket/ssl_client_socket_openssl.cc
+++ b/net/socket/ssl_client_socket_openssl.cc
@@ -389,7 +389,7 @@ SSLClientSocketOpenSSL::PeerCertificateChain::operator=(
   return *this;
 }
 
-#if defined(USE_OPENSSL)
+#if defined(USE_OPENSSL_CERTS)
 // When OSCertHandle is typedef'ed to X509, this implementation does a short cut
 // to avoid converting back and forth between der and X509 struct.
 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
@@ -417,7 +417,7 @@ void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
     CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
   }
 }
-#else  // !defined(USE_OPENSSL)
+#else  // !defined(USE_OPENSSL_CERTS)
 void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
     STACK_OF(X509)* chain) {
   openssl_chain_.reset(NULL);
@@ -455,7 +455,7 @@ void SSLClientSocketOpenSSL::PeerCertificateChain::Reset(
     os_chain_ = NULL;
   }
 }
-#endif  // USE_OPENSSL
+#endif  // defined(USE_OPENSSL_CERTS)
 
 // static
 SSLSessionCacheOpenSSL::Config
@@ -471,7 +471,9 @@ void SSLClientSocket::ClearSessionCache() {
   SSLClientSocketOpenSSL::SSLContext* context =
       SSLClientSocketOpenSSL::SSLContext::GetInstance();
   context->session_cache()->Flush();
+#if defined(USE_OPENSSL_CERTS)
   OpenSSLClientKeyStore::GetInstance()->Flush();
+#endif
 }
 
 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
@@ -487,6 +489,7 @@ SSLClientSocketOpenSSL::SSLClientSocketOpenSSL(
       transport_write_error_(OK),
       server_cert_chain_(new PeerCertificateChain(NULL)),
       completed_handshake_(false),
+      was_ever_used_(false),
       client_auth_cert_needed_(false),
       cert_verifier_(context.cert_verifier),
       server_bound_cert_service_(context.server_bound_cert_service),
@@ -675,11 +678,7 @@ void SSLClientSocketOpenSSL::SetOmniboxSpeculation() {
 }
 
 bool SSLClientSocketOpenSSL::WasEverUsed() const {
-  if (transport_.get() && transport_->socket())
-    return transport_->socket()->WasEverUsed();
-
-  NOTREACHED();
-  return false;
+  return was_ever_used_;
 }
 
 bool SSLClientSocketOpenSSL::UsingTCPFastOpen() const {
@@ -750,6 +749,8 @@ int SSLClientSocketOpenSSL::Read(IOBuffer* buf,
   if (rv == ERR_IO_PENDING) {
     user_read_callback_ = callback;
   } else {
+    if (rv > 0)
+      was_ever_used_ = true;
     user_read_buf_ = NULL;
     user_read_buf_len_ = 0;
   }
@@ -768,6 +769,8 @@ int SSLClientSocketOpenSSL::Write(IOBuffer* buf,
   if (rv == ERR_IO_PENDING) {
     user_write_callback_ = callback;
   } else {
+    if (rv > 0)
+      was_ever_used_ = true;
     user_write_buf_ = NULL;
     user_write_buf_len_ = 0;
   }
@@ -907,6 +910,8 @@ bool SSLClientSocketOpenSSL::Init() {
 void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
   // Since Run may result in Read being called, clear |user_read_callback_|
   // up front.
+  if (rv > 0)
+    was_ever_used_ = true;
   user_read_buf_ = NULL;
   user_read_buf_len_ = 0;
   base::ResetAndReturn(&user_read_callback_).Run(rv);
@@ -915,6 +920,8 @@ void SSLClientSocketOpenSSL::DoReadCallback(int rv) {
 void SSLClientSocketOpenSSL::DoWriteCallback(int rv) {
   // Since Run may result in Write being called, clear |user_write_callback_|
   // up front.
+  if (rv > 0)
+    was_ever_used_ = true;
   user_write_buf_ = NULL;
   user_write_buf_len_ = 0;
   base::ResetAndReturn(&user_write_callback_).Run(rv);
@@ -1414,7 +1421,7 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
   DCHECK(ssl == ssl_);
   DCHECK(*x509 == NULL);
   DCHECK(*pkey == NULL);
-
+#if defined(USE_OPENSSL_CERTS)
   if (!ssl_config_.send_client_cert) {
     // First pass: we know that a client certificate is needed, but we do not
     // have one at hand.
@@ -1451,6 +1458,10 @@ int SSLClientSocketOpenSSL::ClientCertRequestCallback(SSL* ssl,
     }
     LOG(WARNING) << "Client cert found without private key";
   }
+#else  // !defined(USE_OPENSSL_CERTS)
+  // OS handling of client certificates is not yet implemented.
+  NOTIMPLEMENTED();
+#endif  // defined(USE_OPENSSL_CERTS)
 
   // Send no client certificate.
   return 0;
diff --git a/net/socket/ssl_client_socket_openssl.h b/net/socket/ssl_client_socket_openssl.h
index 8952fefb12..6187c72e9f 100644
--- a/net/socket/ssl_client_socket_openssl.h
+++ b/net/socket/ssl_client_socket_openssl.h
@@ -187,6 +187,10 @@ class SSLClientSocketOpenSSL : public SSLClientSocket {
   CertVerifyResult server_cert_verify_result_;
   bool completed_handshake_;
 
+  // Set when Read() or Write() successfully reads or writes data to or from the
+  // network.
+  bool was_ever_used_;
+
   // Stores client authentication information between ClientAuthHandler and
   // GetSSLCertRequestInfo calls.
   bool client_auth_cert_needed_;
diff --git a/net/socket/ssl_client_socket_unittest.cc b/net/socket/ssl_client_socket_unittest.cc
index 20ba8967bf..0c6b33563a 100644
--- a/net/socket/ssl_client_socket_unittest.cc
+++ b/net/socket/ssl_client_socket_unittest.cc
@@ -2127,4 +2127,60 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsDisabled) {
   EXPECT_FALSE(sock->IsConnected());
 }
 
+// Tests that IsConnectedAndIdle and WasEverUsed behave as expected.
+TEST_F(SSLClientSocketTest, ReuseStates) {
+  SpawnedTestServer test_server(SpawnedTestServer::TYPE_HTTPS,
+                                SpawnedTestServer::kLocalhost,
+                                base::FilePath());
+  ASSERT_TRUE(test_server.Start());
+
+  AddressList addr;
+  ASSERT_TRUE(test_server.GetAddressList(&addr));
+
+  TestCompletionCallback callback;
+  scoped_ptr<StreamSocket> transport(
+      new TCPClientSocket(addr, NULL, NetLog::Source()));
+  int rv = transport->Connect(callback.callback());
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  scoped_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
+      transport.Pass(), test_server.host_port_pair(), kDefaultSSLConfig));
+
+  rv = sock->Connect(callback.callback());
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(OK, rv);
+
+  // The socket was just connected. It should be idle because it is speaking
+  // HTTP. Although the transport has been used for the handshake, WasEverUsed()
+  // returns false.
+  EXPECT_TRUE(sock->IsConnected());
+  EXPECT_TRUE(sock->IsConnectedAndIdle());
+  EXPECT_FALSE(sock->WasEverUsed());
+
+  const char kRequestText[] = "GET / HTTP/1.0\r\n\r\n";
+  const size_t kRequestLen = arraysize(kRequestText) - 1;
+  scoped_refptr<IOBuffer> request_buffer(new IOBuffer(kRequestLen));
+  memcpy(request_buffer->data(), kRequestText, kRequestLen);
+
+  rv = sock->Write(request_buffer.get(), kRequestLen, callback.callback());
+  EXPECT_TRUE(rv >= 0 || rv == ERR_IO_PENDING);
+
+  if (rv == ERR_IO_PENDING)
+    rv = callback.WaitForResult();
+  EXPECT_EQ(static_cast<int>(kRequestLen), rv);
+
+  // The socket has now been used.
+  EXPECT_TRUE(sock->WasEverUsed());
+
+  // TODO(davidben): Read one byte to ensure the test server has responded and
+  // then assert IsConnectedAndIdle is false. This currently doesn't work
+  // because neither SSLClientSocketNSS nor SSLClientSocketOpenSSL check their
+  // SSL implementation's internal buffers. Either call PR_Available and
+  // SSL_pending, although the former isn't actually implemented or perhaps
+  // attempt to read one byte extra.
+}
+
 }  // namespace net
diff --git a/net/socket/stream_listen_socket.cc b/net/socket/stream_listen_socket.cc
index e5232afdf8..d17ce75fec 100644
--- a/net/socket/stream_listen_socket.cc
+++ b/net/socket/stream_listen_socket.cc
@@ -96,7 +96,7 @@ int StreamListenSocket::GetLocalAddress(IPEndPoint* address) {
     return MapSystemError(err);
   }
   if (!address->FromSockAddr(storage.addr, storage.addr_len))
-    return ERR_FAILED;
+    return ERR_ADDRESS_INVALID;
   return OK;
 }
 
diff --git a/net/socket/stream_socket.h b/net/socket/stream_socket.h
index 38eec86dd9..72088103a3 100644
--- a/net/socket/stream_socket.h
+++ b/net/socket/stream_socket.h
@@ -70,9 +70,9 @@ class NET_EXPORT_PRIVATE StreamSocket : public Socket {
   virtual void SetSubresourceSpeculation() = 0;
   virtual void SetOmniboxSpeculation() = 0;
 
-  // Returns true if the underlying transport socket ever had any reads or
-  // writes.  StreamSockets layered on top of transport sockets should forward
-  // this call to the transport socket.
+  // Returns true if the socket ever had any reads or writes.  StreamSockets
+  // layered on top of transport sockets should return if their own Read() or
+  // Write() methods had been called, not the underlying transport's.
   virtual bool WasEverUsed() const = 0;
 
   // Returns true if the underlying transport socket is using TCP FastOpen.
diff --git a/net/socket/tcp_socket_libevent.cc b/net/socket/tcp_socket_libevent.cc
index 94d289708c..a7022fd857 100644
--- a/net/socket/tcp_socket_libevent.cc
+++ b/net/socket/tcp_socket_libevent.cc
@@ -611,9 +611,9 @@ int TCPSocketLibevent::AcceptInternal(scoped_ptr<TCPSocketLibevent>* socket,
     NOTREACHED();
     if (IGNORE_EINTR(close(new_socket)) < 0)
       PLOG(ERROR) << "close";
-    net_log_.EndEventWithNetErrorCode(NetLog::TYPE_TCP_ACCEPT,
-                                      ERR_ADDRESS_INVALID);
-    return ERR_ADDRESS_INVALID;
+    int net_error = ERR_ADDRESS_INVALID;
+    net_log_.EndEventWithNetErrorCode(NetLog::TYPE_TCP_ACCEPT, net_error);
+    return net_error;
   }
   scoped_ptr<TCPSocketLibevent> tcp_socket(new TCPSocketLibevent(
       net_log_.net_log(), net_log_.source()));
@@ -639,7 +639,7 @@ int TCPSocketLibevent::DoConnect() {
   if (!use_tcp_fastopen_) {
     SockaddrStorage storage;
     if (!peer_address_->ToSockAddr(storage.addr, &storage.addr_len))
-      return ERR_INVALID_ARGUMENT;
+      return ERR_ADDRESS_INVALID;
 
     if (!HANDLE_EINTR(connect(socket_, storage.addr, storage.addr_len))) {
       // Connected without waiting!
@@ -825,7 +825,9 @@ int TCPSocketLibevent::InternalWrite(IOBuffer* buf, int buf_len) {
   if (use_tcp_fastopen_ && !tcp_fastopen_connected_) {
     SockaddrStorage storage;
     if (!peer_address_->ToSockAddr(storage.addr, &storage.addr_len)) {
-      errno = EINVAL;
+      // Set errno to EADDRNOTAVAIL so that MapSystemError will map it to
+      // ERR_ADDRESS_INVALID later.
+      errno = EADDRNOTAVAIL;
       return -1;
     }
 
diff --git a/net/socket/tcp_socket_win.cc b/net/socket/tcp_socket_win.cc
index 5f8cd5c3e8..b777f21307 100644
--- a/net/socket/tcp_socket_win.cc
+++ b/net/socket/tcp_socket_win.cc
@@ -711,8 +711,9 @@ int TCPSocketWin::AcceptInternal(scoped_ptr<TCPSocketWin>* socket,
     NOTREACHED();
     if (closesocket(new_socket) < 0)
       PLOG(ERROR) << "closesocket";
-    net_log_.EndEventWithNetErrorCode(NetLog::TYPE_TCP_ACCEPT, ERR_FAILED);
-    return ERR_FAILED;
+    int net_error = ERR_ADDRESS_INVALID;
+    net_log_.EndEventWithNetErrorCode(NetLog::TYPE_TCP_ACCEPT, net_error);
+    return net_error;
   }
   scoped_ptr<TCPSocketWin> tcp_socket(new TCPSocketWin(
       net_log_.net_log(), net_log_.source()));
@@ -767,7 +768,7 @@ int TCPSocketWin::DoConnect() {
 
   SockaddrStorage storage;
   if (!peer_address_->ToSockAddr(storage.addr, &storage.addr_len))
-    return ERR_INVALID_ARGUMENT;
+    return ERR_ADDRESS_INVALID;
   if (!connect(socket_, storage.addr, storage.addr_len)) {
     // Connected without waiting!
     //
diff --git a/net/spdy/spdy_http_stream_unittest.cc b/net/spdy/spdy_http_stream_unittest.cc
index 5a5870365b..2142d586eb 100644
--- a/net/spdy/spdy_http_stream_unittest.cc
+++ b/net/spdy/spdy_http_stream_unittest.cc
@@ -8,6 +8,7 @@
 
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop/message_loop_proxy.h"
+#include "base/run_loop.h"
 #include "base/stl_util.h"
 #include "crypto/ec_private_key.h"
 #include "crypto/ec_signature_creator.h"
@@ -149,6 +150,9 @@ TEST_P(SpdyHttpStreamTest, GetUploadProgressBeforeInitialization) {
   UploadProgress progress = stream.GetUploadProgress();
   EXPECT_EQ(0u, progress.size());
   EXPECT_EQ(0u, progress.position());
+
+  // Pump the event loop so |reads| is consumed before the function returns.
+  base::RunLoop().RunUntilIdle();
 }
 
 TEST_P(SpdyHttpStreamTest, SendRequest) {
diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index c20d89e4a0..5f0e285afc 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -532,7 +532,7 @@ SpdySession::~SpdySession() {
   net_log_.EndEvent(NetLog::TYPE_SPDY_SESSION);
 }
 
-Error SpdySession::InitializeWithSocket(
+void SpdySession::InitializeWithSocket(
     scoped_ptr<ClientSocketHandle> connection,
     SpdySessionPool* pool,
     bool is_secure,
@@ -593,19 +593,17 @@ Error SpdySession::InitializeWithSocket(
       NetLog::TYPE_SPDY_SESSION_INITIALIZED,
       connection_->socket()->NetLog().source().ToEventParametersCallback());
 
-  int error = DoReadLoop(READ_STATE_DO_READ, OK);
-  if (error == ERR_IO_PENDING)
-    error = OK;
-  if (error == OK) {
-    DCHECK_NE(availability_state_, STATE_CLOSED);
-    connection_->AddHigherLayeredPool(this);
-    if (enable_sending_initial_data_)
-      SendInitialData();
-    pool_ = pool;
-  } else {
-    DcheckClosed();
-  }
-  return static_cast<Error>(error);
+  DCHECK_NE(availability_state_, STATE_CLOSED);
+  connection_->AddHigherLayeredPool(this);
+  if (enable_sending_initial_data_)
+    SendInitialData();
+  pool_ = pool;
+
+  // Bootstrap the read loop.
+  base::MessageLoop::current()->PostTask(
+      FROM_HERE,
+      base::Bind(&SpdySession::PumpReadLoop,
+                 weak_factory_.GetWeakPtr(), READ_STATE_DO_READ, OK));
 }
 
 bool SpdySession::VerifyDomainAuthentication(const std::string& domain) {
@@ -1554,9 +1552,8 @@ SpdySession::CloseSessionResult SpdySession::DoCloseSession(
   UMA_HISTOGRAM_CUSTOM_COUNTS("Net.SpdySession.BytesRead.OtherErrors",
                               total_bytes_received_, 1, 100000000, 50);
 
-  // |pool_| will be NULL when |InitializeWithSocket()| is in the
-  // call stack.
-  if (pool_ && availability_state_ != STATE_GOING_AWAY)
+  DCHECK(pool_);
+  if (availability_state_ != STATE_GOING_AWAY)
     pool_->MakeSessionUnavailable(GetWeakPtr());
 
   availability_state_ = STATE_CLOSED;
@@ -1628,10 +1625,8 @@ void SpdySession::CloseSessionOnError(Error err,
 void SpdySession::MakeUnavailable() {
   if (availability_state_ < STATE_GOING_AWAY) {
     availability_state_ = STATE_GOING_AWAY;
-    // |pool_| will be NULL when |InitializeWithSocket()| is in the
-    // call stack.
-    if (pool_)
-      pool_->MakeSessionUnavailable(GetWeakPtr());
+    DCHECK(pool_);
+    pool_->MakeSessionUnavailable(GetWeakPtr());
   }
 }
 
@@ -1686,7 +1681,8 @@ base::Value* SpdySession::GetInfoAsValue() const {
 }
 
 bool SpdySession::IsReused() const {
-  return buffered_spdy_framer_->frames_received() > 0;
+  return buffered_spdy_framer_->frames_received() > 0 ||
+      connection_->reuse_type() == ClientSocketHandle::UNUSED_IDLE;
 }
 
 bool SpdySession::GetLoadTimingInfo(SpdyStreamId stream_id,
diff --git a/net/spdy/spdy_session.h b/net/spdy/spdy_session.h
index cbb87bf8c6..203f1ef052 100644
--- a/net/spdy/spdy_session.h
+++ b/net/spdy/spdy_session.h
@@ -256,13 +256,13 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // |certificate_error_code| must either be OK or less than
   // ERR_IO_PENDING.
   //
-  // Returns OK on success, or an error on failure. Never returns
-  // ERR_IO_PENDING. If an error is returned, the session must be
-  // destroyed immediately.
-  Error InitializeWithSocket(scoped_ptr<ClientSocketHandle> connection,
-                             SpdySessionPool* pool,
-                             bool is_secure,
-                             int certificate_error_code);
+  // The session begins reading from |connection| on a subsequent event loop
+  // iteration, so the SpdySession may close immediately afterwards if the first
+  // read of |connection| fails.
+  void InitializeWithSocket(scoped_ptr<ClientSocketHandle> connection,
+                            SpdySessionPool* pool,
+                            bool is_secure,
+                            int certificate_error_code);
 
   // Returns the protocol used by this session. Always between
   // kProtoSPDYMinimumVersion and kProtoSPDYMaximumVersion.
@@ -367,7 +367,8 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   base::Value* GetInfoAsValue() const;
 
   // Indicates whether the session is being reused after having successfully
-  // used to send/receive data in the past.
+  // used to send/receive data in the past or if the underlying socket was idle
+  // before being used for a SPDY session.
   bool IsReused() const;
 
   // Returns true if the underlying transport socket ever had any reads or
@@ -617,8 +618,7 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
   // Advance the ReadState state machine. |expected_read_state| is the
   // expected starting read state.
   //
-  // This function must always be called via PumpReadLoop() except for
-  // from InitializeWithSocket().
+  // This function must always be called via PumpReadLoop().
   int DoReadLoop(ReadState expected_read_state, int result);
   // The implementations of the states of the ReadState state machine.
   int DoRead();
diff --git a/net/spdy/spdy_session_pool.cc b/net/spdy/spdy_session_pool.cc
index 093db1eb9e..6ce0a937b3 100644
--- a/net/spdy/spdy_session_pool.cc
+++ b/net/spdy/spdy_session_pool.cc
@@ -77,12 +77,11 @@ SpdySessionPool::~SpdySessionPool() {
   CertDatabase::GetInstance()->RemoveObserver(this);
 }
 
-net::Error SpdySessionPool::CreateAvailableSessionFromSocket(
+base::WeakPtr<SpdySession> SpdySessionPool::CreateAvailableSessionFromSocket(
     const SpdySessionKey& key,
     scoped_ptr<ClientSocketHandle> connection,
     const BoundNetLog& net_log,
     int certificate_error_code,
-    base::WeakPtr<SpdySession>* available_session,
     bool is_secure) {
   DCHECK_GE(default_protocol_, kProtoSPDYMinimumVersion);
   DCHECK_LE(default_protocol_, kProtoSPDYMaximumVersion);
@@ -105,22 +104,16 @@ net::Error SpdySessionPool::CreateAvailableSessionFromSocket(
                       trusted_spdy_proxy_,
                       net_log.net_log()));
 
-  Error error =  new_session->InitializeWithSocket(
+  new_session->InitializeWithSocket(
       connection.Pass(), this, is_secure, certificate_error_code);
-  DCHECK_NE(error, ERR_IO_PENDING);
 
-  if (error != OK) {
-    available_session->reset();
-    return error;
-  }
-
-  *available_session = new_session->GetWeakPtr();
+  base::WeakPtr<SpdySession> available_session = new_session->GetWeakPtr();
   sessions_.insert(new_session.release());
-  MapKeyToAvailableSession(key, *available_session);
+  MapKeyToAvailableSession(key, available_session);
 
   net_log.AddEvent(
       NetLog::TYPE_SPDY_SESSION_POOL_IMPORTED_SESSION_FROM_SOCKET,
-      (*available_session)->net_log().source().ToEventParametersCallback());
+      available_session->net_log().source().ToEventParametersCallback());
 
   // Look up the IP address for this session so that we can match
   // future sessions (potentially to different domains) which can
@@ -129,11 +122,11 @@ net::Error SpdySessionPool::CreateAvailableSessionFromSocket(
   // to see if this is a direct connection.
   if (key.proxy_server().is_direct()) {
     IPEndPoint address;
-    if ((*available_session)->GetPeerAddress(&address) == OK)
+    if (available_session->GetPeerAddress(&address) == OK)
       aliases_[address] = key;
   }
 
-  return error;
+  return available_session;
 }
 
 base::WeakPtr<SpdySession> SpdySessionPool::FindAvailableSession(
diff --git a/net/spdy/spdy_session_pool.h b/net/spdy/spdy_session_pool.h
index c44e9de51b..0fad5d2d46 100644
--- a/net/spdy/spdy_session_pool.h
+++ b/net/spdy/spdy_session_pool.h
@@ -79,15 +79,14 @@ class NET_EXPORT SpdySessionPool
   // encountered when connecting the SSL socket, with OK meaning there
   // was no error.
   //
-  // If successful, OK is returned and |available_session| will be
-  // non-NULL and available. Otherwise, an error is returned and
-  // |available_session| will be NULL.
-  net::Error CreateAvailableSessionFromSocket(
+  // Returns the new SpdySession. Note that the SpdySession begins reading from
+  // |connection| on a subsequent event loop iteration, so it may be closed
+  // immediately afterwards if the first read of |connection| fails.
+  base::WeakPtr<SpdySession> CreateAvailableSessionFromSocket(
       const SpdySessionKey& key,
       scoped_ptr<ClientSocketHandle> connection,
       const BoundNetLog& net_log,
       int certificate_error_code,
-      base::WeakPtr<SpdySession>* available_session,
       bool is_secure);
 
   // Find an available session for the given key, or NULL if there isn't one.
diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc
index 0e8b3707e8..a5d9292741 100644
--- a/net/spdy/spdy_session_unittest.cc
+++ b/net/spdy/spdy_session_unittest.cc
@@ -190,8 +190,12 @@ INSTANTIATE_TEST_CASE_P(
 TEST_P(SpdySessionTest, InitialReadError) {
   CreateDeterministicNetworkSession();
 
-  TryCreateFakeSpdySessionExpectingFailure(
+  base::WeakPtr<SpdySession> session = TryCreateFakeSpdySessionExpectingFailure(
       spdy_session_pool_, key_, ERR_FAILED);
+  EXPECT_TRUE(session);
+  // Flush the read.
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(session);
 }
 
 namespace {
@@ -277,8 +281,6 @@ TEST_P(SpdySessionTest, PendingStreamCancellingAnother) {
   session->CloseSessionOnError(ERR_ABORTED, "Aborting session");
 
   EXPECT_EQ(ERR_ABORTED, callback1.WaitForResult());
-
-  data.RunFor(1);
 }
 
 // A session receiving a GOAWAY frame with no active streams should
@@ -330,9 +332,12 @@ TEST_P(SpdySessionTest, GoAwayImmediatelyWithNoActiveStreams) {
 
   data.StopAfter(1);
 
-  TryCreateInsecureSpdySessionExpectingFailure(
-      http_session_, key_, ERR_CONNECTION_CLOSED, BoundNetLog());
+  base::WeakPtr<SpdySession> session =
+      TryCreateInsecureSpdySessionExpectingFailure(
+          http_session_, key_, ERR_CONNECTION_CLOSED, BoundNetLog());
+  base::RunLoop().RunUntilIdle();
 
+  EXPECT_FALSE(session);
   EXPECT_FALSE(HasSpdySession(spdy_session_pool_, key_));
 }
 
@@ -1045,8 +1050,6 @@ TEST_P(SpdySessionTest, FailedPing) {
 
   EXPECT_TRUE(session == NULL);
   EXPECT_FALSE(HasSpdySession(spdy_session_pool_, key_));
-
-  data.RunFor(1);
   EXPECT_EQ(NULL, spdy_stream1.get());
 }
 
diff --git a/net/spdy/spdy_stream.cc b/net/spdy/spdy_stream.cc
index ce9ddd306e..3988905930 100644
--- a/net/spdy/spdy_stream.cc
+++ b/net/spdy/spdy_stream.cc
@@ -103,7 +103,8 @@ SpdyStream::SpdyStream(SpdyStreamType type,
       net_log_(net_log),
       raw_received_bytes_(0),
       send_bytes_(0),
-      recv_bytes_(0) {
+      recv_bytes_(0),
+      write_handler_guard_(false) {
   CHECK(type_ == SPDY_BIDIRECTIONAL_STREAM ||
         type_ == SPDY_REQUEST_RESPONSE_STREAM ||
         type_ == SPDY_PUSH_STREAM);
@@ -112,6 +113,7 @@ SpdyStream::SpdyStream(SpdyStreamType type,
 }
 
 SpdyStream::~SpdyStream() {
+  CHECK(!write_handler_guard_);
   UpdateHistograms();
 }
 
@@ -457,7 +459,6 @@ void SpdyStream::OnDataReceived(scoped_ptr<SpdyBuffer> buffer) {
   // PushedStreamReplayData().
   if (io_state_ == STATE_HALF_CLOSED_LOCAL_UNCLAIMED) {
     DCHECK_EQ(type_, SPDY_PUSH_STREAM);
-    CHECK(!delegate_);
     // It should be valid for this to happen in the server push case.
     // We'll return received data when delegate gets attached to the stream.
     if (buffer) {
@@ -545,12 +546,14 @@ void SpdyStream::OnFrameWriteComplete(SpdyFrameType frame_type,
   CHECK(delegate_);
   {
     base::WeakPtr<SpdyStream> weak_this = GetWeakPtr();
+    write_handler_guard_ = true;
     if (frame_type == SYN_STREAM) {
       delegate_->OnRequestHeadersSent();
     } else {
       delegate_->OnDataSent();
     }
     CHECK(weak_this);
+    write_handler_guard_ = false;
   }
 
   if (io_state_ == STATE_CLOSED) {
diff --git a/net/spdy/spdy_stream.h b/net/spdy/spdy_stream.h
index a8cc7dcde3..4e3c61a143 100644
--- a/net/spdy/spdy_stream.h
+++ b/net/spdy/spdy_stream.h
@@ -557,6 +557,11 @@ class NET_EXPORT_PRIVATE SpdyStream {
   std::string domain_bound_cert_;
   ServerBoundCertService::RequestHandle domain_bound_cert_request_handle_;
 
+  // Guards calls of delegate write handlers ensuring |this| is not destroyed.
+  // TODO(jgraettinger): Consider removing after crbug.com/35511 is tracked
+  // down.
+  bool write_handler_guard_;
+
   DISALLOW_COPY_AND_ASSIGN(SpdyStream);
 };
 
diff --git a/net/spdy/spdy_test_util_common.cc b/net/spdy/spdy_test_util_common.cc
index 66a6f8c3fd..22ff5f6f09 100644
--- a/net/spdy/spdy_test_util_common.cc
+++ b/net/spdy/spdy_test_util_common.cc
@@ -540,15 +540,12 @@ base::WeakPtr<SpdySession> CreateSpdySessionHelper(
 
   EXPECT_EQ(OK, rv);
 
-  base::WeakPtr<SpdySession> spdy_session;
-  EXPECT_EQ(
-      expected_status,
+  base::WeakPtr<SpdySession> spdy_session =
       http_session->spdy_session_pool()->CreateAvailableSessionFromSocket(
-          key, connection.Pass(), net_log, OK, &spdy_session,
-          is_secure));
-  EXPECT_EQ(expected_status == OK, spdy_session != NULL);
-  EXPECT_EQ(expected_status == OK,
-            HasSpdySession(http_session->spdy_session_pool(), key));
+          key, connection.Pass(), net_log, OK, is_secure);
+  // Failure is reported asynchronously.
+  EXPECT_TRUE(spdy_session != NULL);
+  EXPECT_TRUE(HasSpdySession(http_session->spdy_session_pool(), key));
   return spdy_session;
 }
 
@@ -562,14 +559,14 @@ base::WeakPtr<SpdySession> CreateInsecureSpdySession(
                                  OK, false /* is_secure */);
 }
 
-void TryCreateInsecureSpdySessionExpectingFailure(
+base::WeakPtr<SpdySession> TryCreateInsecureSpdySessionExpectingFailure(
     const scoped_refptr<HttpNetworkSession>& http_session,
     const SpdySessionKey& key,
     Error expected_error,
     const BoundNetLog& net_log) {
   DCHECK_LT(expected_error, ERR_IO_PENDING);
-  CreateSpdySessionHelper(http_session, key, net_log,
-                          expected_error, false /* is_secure */);
+  return CreateSpdySessionHelper(http_session, key, net_log,
+                                 expected_error, false /* is_secure */);
 }
 
 base::WeakPtr<SpdySession> CreateSecureSpdySession(
@@ -643,17 +640,15 @@ base::WeakPtr<SpdySession> CreateFakeSpdySessionHelper(
     Error expected_status) {
   EXPECT_NE(expected_status, ERR_IO_PENDING);
   EXPECT_FALSE(HasSpdySession(pool, key));
-  base::WeakPtr<SpdySession> spdy_session;
   scoped_ptr<ClientSocketHandle> handle(new ClientSocketHandle());
   handle->SetSocket(scoped_ptr<StreamSocket>(new FakeSpdySessionClientSocket(
       expected_status == OK ? ERR_IO_PENDING : expected_status)));
-  EXPECT_EQ(
-      expected_status,
+  base::WeakPtr<SpdySession> spdy_session =
       pool->CreateAvailableSessionFromSocket(
-          key, handle.Pass(), BoundNetLog(), OK, &spdy_session,
-          true /* is_secure */));
-  EXPECT_EQ(expected_status == OK, spdy_session != NULL);
-  EXPECT_EQ(expected_status == OK, HasSpdySession(pool, key));
+          key, handle.Pass(), BoundNetLog(), OK, true /* is_secure */);
+  // Failure is reported asynchronously.
+  EXPECT_TRUE(spdy_session != NULL);
+  EXPECT_TRUE(HasSpdySession(pool, key));
   return spdy_session;
 }
 
@@ -664,11 +659,12 @@ base::WeakPtr<SpdySession> CreateFakeSpdySession(SpdySessionPool* pool,
   return CreateFakeSpdySessionHelper(pool, key, OK);
 }
 
-void TryCreateFakeSpdySessionExpectingFailure(SpdySessionPool* pool,
-                                              const SpdySessionKey& key,
-                                              Error expected_error) {
+base::WeakPtr<SpdySession> TryCreateFakeSpdySessionExpectingFailure(
+    SpdySessionPool* pool,
+    const SpdySessionKey& key,
+    Error expected_error) {
   DCHECK_LT(expected_error, ERR_IO_PENDING);
-  CreateFakeSpdySessionHelper(pool, key, expected_error);
+  return CreateFakeSpdySessionHelper(pool, key, expected_error);
 }
 
 SpdySessionPoolPeer::SpdySessionPoolPeer(SpdySessionPool* pool) : pool_(pool) {
diff --git a/net/spdy/spdy_test_util_common.h b/net/spdy/spdy_test_util_common.h
index 42b595b689..668a7e84dc 100644
--- a/net/spdy/spdy_test_util_common.h
+++ b/net/spdy/spdy_test_util_common.h
@@ -247,8 +247,9 @@ base::WeakPtr<SpdySession> CreateInsecureSpdySession(
 
 // Tries to create a SPDY session for the given key but expects the
 // attempt to fail with the given error. A SPDY session for |key| must
-// not already exist.
-void TryCreateInsecureSpdySessionExpectingFailure(
+// not already exist. The session will be created but close in the
+// next event loop iteration.
+base::WeakPtr<SpdySession> TryCreateInsecureSpdySessionExpectingFailure(
     const scoped_refptr<HttpNetworkSession>& http_session,
     const SpdySessionKey& key,
     Error expected_error,
@@ -269,10 +270,12 @@ base::WeakPtr<SpdySession> CreateFakeSpdySession(SpdySessionPool* pool,
 // Tries to create an insecure SPDY session for the given key but
 // expects the attempt to fail with the given error. The session will
 // neither receive nor send any data. A SPDY session for |key| must
-// not already exist.
-void TryCreateFakeSpdySessionExpectingFailure(SpdySessionPool* pool,
-                                              const SpdySessionKey& key,
-                                              Error expected_error);
+// not already exist. The session will be created but close in the
+// next event loop iteration.
+base::WeakPtr<SpdySession> TryCreateFakeSpdySessionExpectingFailure(
+    SpdySessionPool* pool,
+    const SpdySessionKey& key,
+    Error expected_error);
 
 class SpdySessionPoolPeer {
  public:
diff --git a/net/ssl/server_bound_cert_service_unittest.cc b/net/ssl/server_bound_cert_service_unittest.cc
index 4df003913a..2be073bb16 100644
--- a/net/ssl/server_bound_cert_service_unittest.cc
+++ b/net/ssl/server_bound_cert_service_unittest.cc
@@ -24,7 +24,6 @@ namespace net {
 
 namespace {
 
-#if !defined(USE_OPENSSL)
 void FailTest(int /* result */) {
   FAIL();
 }
@@ -117,8 +116,6 @@ MockServerBoundCertStoreWithAsyncGet::CallGetServerBoundCertCallbackWithResult(
                                                     cert));
 }
 
-#endif  // !defined(USE_OPENSSL)
-
 class ServerBoundCertServiceTest : public testing::Test {
  public:
   ServerBoundCertServiceTest()
@@ -150,9 +147,6 @@ TEST_F(ServerBoundCertServiceTest, GetDomainForHost) {
             ServerBoundCertService::GetDomainForHost("127.0.0.1"));
 }
 
-// See http://crbug.com/91512 - implement OpenSSL version of CreateSelfSigned.
-#if !defined(USE_OPENSSL)
-
 TEST_F(ServerBoundCertServiceTest, GetCacheMiss) {
   std::string host("encrypted.google.com");
 
@@ -775,8 +769,6 @@ TEST_F(ServerBoundCertServiceTest, AsyncStoreGetThenCreateNoCertsInStore) {
   EXPECT_FALSE(request_handle2.is_active());
 }
 
-#endif  // !defined(USE_OPENSSL)
-
 }  // namespace
 
 }  // namespace net
diff --git a/net/ssl/ssl_config.cc b/net/ssl/ssl_config.cc
new file mode 100644
index 0000000000..02829918ed
--- /dev/null
+++ b/net/ssl/ssl_config.cc
@@ -0,0 +1,69 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/ssl/ssl_config.h"
+
+#if defined(USE_OPENSSL)
+#include <openssl/ssl.h>
+#endif
+
+namespace net {
+
+const uint16 kDefaultSSLVersionMin = SSL_PROTOCOL_VERSION_SSL3;
+
+const uint16 kDefaultSSLVersionMax =
+#if defined(USE_OPENSSL)
+#if defined(SSL_OP_NO_TLSv1_2)
+    SSL_PROTOCOL_VERSION_TLS1_2;
+#elif defined(SSL_OP_NO_TLSv1_1)
+    SSL_PROTOCOL_VERSION_TLS1_1;
+#else
+    SSL_PROTOCOL_VERSION_TLS1;
+#endif
+#else
+    SSL_PROTOCOL_VERSION_TLS1_2;
+#endif
+
+SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
+
+SSLConfig::CertAndStatus::~CertAndStatus() {}
+
+SSLConfig::SSLConfig()
+    : rev_checking_enabled(false),
+      rev_checking_required_local_anchors(false),
+      version_min(kDefaultSSLVersionMin),
+      version_max(kDefaultSSLVersionMax),
+      channel_id_enabled(true),
+      false_start_enabled(true),
+      signed_cert_timestamps_enabled(true),
+      require_forward_secrecy(false),
+      send_client_cert(false),
+      verify_ev_cert(false),
+      version_fallback(false),
+      cert_io_enabled(true) {
+}
+
+SSLConfig::~SSLConfig() {}
+
+bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
+                                 CertStatus* cert_status) const {
+  std::string der_cert;
+  if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
+    return false;
+  return IsAllowedBadCert(der_cert, cert_status);
+}
+
+bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
+                                 CertStatus* cert_status) const {
+  for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
+    if (der_cert == allowed_bad_certs[i].der_cert) {
+      if (cert_status)
+        *cert_status = allowed_bad_certs[i].cert_status;
+      return true;
+    }
+  }
+  return false;
+}
+
+}  // namespace net
diff --git a/net/ssl/ssl_config.h b/net/ssl/ssl_config.h
new file mode 100644
index 0000000000..27312147f0
--- /dev/null
+++ b/net/ssl/ssl_config.h
@@ -0,0 +1,156 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SSL_SSL_CONFIG_H_
+#define NET_SSL_SSL_CONFIG_H_
+
+#include "base/basictypes.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_export.h"
+#include "net/cert/x509_certificate.h"
+
+namespace net {
+
+// Various TLS/SSL ProtocolVersion values encoded as uint16
+//      struct {
+//          uint8 major;
+//          uint8 minor;
+//      } ProtocolVersion;
+// The most significant byte is |major|, and the least significant byte
+// is |minor|.
+enum {
+  SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
+  SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
+  SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
+  SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
+};
+
+// Default minimum protocol version.
+NET_EXPORT extern const uint16 kDefaultSSLVersionMin;
+
+// Default maximum protocol version.
+NET_EXPORT extern const uint16 kDefaultSSLVersionMax;
+
+// A collection of SSL-related configuration settings.
+struct NET_EXPORT SSLConfig {
+  // Default to revocation checking.
+  // Default to SSL 3.0 ~ default_version_max() on.
+  SSLConfig();
+  ~SSLConfig();
+
+  // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
+  // The expected cert status is written to |cert_status|. |*cert_status| can
+  // be NULL if user doesn't care about the cert status.
+  bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
+
+  // Same as above except works with DER encoded certificates instead
+  // of X509Certificate.
+  bool IsAllowedBadCert(const base::StringPiece& der_cert,
+                        CertStatus* cert_status) const;
+
+  // rev_checking_enabled is true if online certificate revocation checking is
+  // enabled (i.e. OCSP and CRL fetching).
+  //
+  // Regardless of this flag, CRLSet checking is always enabled and locally
+  // cached revocation information will be considered.
+  bool rev_checking_enabled;
+
+  // rev_checking_required_local_anchors is true if revocation checking is
+  // required to succeed when certificates chain to local trust anchors (that
+  // is, non-public CAs). If revocation information cannot be obtained, such
+  // certificates will be treated as revoked ("hard-fail").
+  // Note: This is distinct from rev_checking_enabled. If true, it is
+  // equivalent to also setting rev_checking_enabled, but only when the
+  // certificate chain chains to a local (non-public) trust anchor.
+  bool rev_checking_required_local_anchors;
+
+  // The minimum and maximum protocol versions that are enabled.
+  // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
+  // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
+  // SSL 2.0 is not supported. If version_max < version_min, it means no
+  // protocol versions are enabled.
+  uint16 version_min;
+  uint16 version_max;
+
+  // Presorted list of cipher suites which should be explicitly prevented from
+  // being used in addition to those disabled by the net built-in policy.
+  //
+  // By default, all cipher suites supported by the underlying SSL
+  // implementation will be enabled except for:
+  // - Null encryption cipher suites.
+  // - Weak cipher suites: < 80 bits of security strength.
+  // - FORTEZZA cipher suites (obsolete).
+  // - IDEA cipher suites (RFC 5469 explains why).
+  // - Anonymous cipher suites.
+  // - ECDSA cipher suites on platforms that do not support ECDSA signed
+  //   certificates, as servers may use the presence of such ciphersuites as a
+  //   hint to send an ECDSA certificate.
+  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
+  // to the above list.
+  //
+  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
+  // big-endian form, they should be declared in host byte order, with the
+  // first uint8 occupying the most significant byte.
+  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
+  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
+  std::vector<uint16> disabled_cipher_suites;
+
+  bool channel_id_enabled;   // True if TLS channel ID extension is enabled.
+  bool false_start_enabled;  // True if we'll use TLS False Start.
+  // True if the Certificate Transparency signed_certificate_timestamp
+  // TLS extension is enabled.
+  bool signed_cert_timestamps_enabled;
+
+  // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
+  // enabled. NOTE: this only applies to server sockets currently, although
+  // that could be extended if needed.
+  bool require_forward_secrecy;
+
+  // TODO(wtc): move the following members to a new SSLParams structure.  They
+  // are not SSL configuration settings.
+
+  struct NET_EXPORT CertAndStatus {
+    CertAndStatus();
+    ~CertAndStatus();
+
+    std::string der_cert;
+    CertStatus cert_status;
+  };
+
+  // Add any known-bad SSL certificate (with its cert status) to
+  // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
+  // calling SSLClientSocket::Connect.  This would normally be done in
+  // response to the user explicitly accepting the bad certificate.
+  std::vector<CertAndStatus> allowed_bad_certs;
+
+  // True if we should send client_cert to the server.
+  bool send_client_cert;
+
+  bool verify_ev_cert;  // True if we should verify the certificate for EV.
+
+  bool version_fallback;  // True if we are falling back to an older protocol
+                          // version (one still needs to decrement
+                          // version_max).
+
+  // If cert_io_enabled is false, then certificate verification will not
+  // result in additional HTTP requests. (For example: to fetch missing
+  // intermediates or to perform OCSP/CRL fetches.) It also implies that online
+  // revocation checking is disabled.
+  // NOTE: Only used by NSS.
+  bool cert_io_enabled;
+
+  // The list of application level protocols supported. If set, this will
+  // enable Next Protocol Negotiation (if supported). The order of the
+  // protocols doesn't matter expect for one case: if the server supports Next
+  // Protocol Negotiation, but there is no overlap between the server's and
+  // client's protocol sets, then the first protocol in this list will be
+  // requested by the client.
+  std::vector<std::string> next_protos;
+
+  scoped_refptr<X509Certificate> client_cert;
+};
+
+}  // namespace net
+
+#endif  // NET_SSL_SSL_CONFIG_H_
diff --git a/net/ssl/ssl_config_service.cc b/net/ssl/ssl_config_service.cc
index ec9fcc3eb3..cd2a00dc6d 100644
--- a/net/ssl/ssl_config_service.cc
+++ b/net/ssl/ssl_config_service.cc
@@ -5,75 +5,11 @@
 #include "net/ssl/ssl_config_service.h"
 
 #include "base/lazy_instance.h"
-#include "base/memory/ref_counted.h"
 #include "base/synchronization/lock.h"
-#include "net/cert/crl_set.h"
 #include "net/ssl/ssl_config_service_defaults.h"
 
-#if defined(USE_OPENSSL)
-#include <openssl/ssl.h>
-#endif
-
 namespace net {
 
-static uint16 g_default_version_min = SSL_PROTOCOL_VERSION_SSL3;
-
-static uint16 g_default_version_max =
-#if defined(USE_OPENSSL)
-#if defined(SSL_OP_NO_TLSv1_2)
-    SSL_PROTOCOL_VERSION_TLS1_2;
-#elif defined(SSL_OP_NO_TLSv1_1)
-    SSL_PROTOCOL_VERSION_TLS1_1;
-#else
-    SSL_PROTOCOL_VERSION_TLS1;
-#endif
-#else
-    SSL_PROTOCOL_VERSION_TLS1_2;
-#endif
-
-SSLConfig::CertAndStatus::CertAndStatus() : cert_status(0) {}
-
-SSLConfig::CertAndStatus::~CertAndStatus() {}
-
-SSLConfig::SSLConfig()
-    : rev_checking_enabled(false),
-      rev_checking_required_local_anchors(false),
-      version_min(g_default_version_min),
-      version_max(g_default_version_max),
-      channel_id_enabled(true),
-      false_start_enabled(true),
-      signed_cert_timestamps_enabled(true),
-      require_forward_secrecy(false),
-      unrestricted_ssl3_fallback_enabled(false),
-      send_client_cert(false),
-      verify_ev_cert(false),
-      version_fallback(false),
-      cert_io_enabled(true) {
-}
-
-SSLConfig::~SSLConfig() {
-}
-
-bool SSLConfig::IsAllowedBadCert(X509Certificate* cert,
-                                 CertStatus* cert_status) const {
-  std::string der_cert;
-  if (!X509Certificate::GetDEREncoded(cert->os_cert_handle(), &der_cert))
-    return false;
-  return IsAllowedBadCert(der_cert, cert_status);
-}
-
-bool SSLConfig::IsAllowedBadCert(const base::StringPiece& der_cert,
-                                 CertStatus* cert_status) const {
-  for (size_t i = 0; i < allowed_bad_certs.size(); ++i) {
-    if (der_cert == allowed_bad_certs[i].der_cert) {
-      if (cert_status)
-        *cert_status = allowed_bad_certs[i].cert_status;
-      return true;
-    }
-  }
-  return false;
-}
-
 SSLConfigService::SSLConfigService()
     : observer_list_(ObserverList<Observer>::NOTIFY_EXISTING_ONLY) {
 }
@@ -111,16 +47,6 @@ scoped_refptr<CRLSet> SSLConfigService::GetCRLSet() {
   return g_crl_set.Get().Get();
 }
 
-// static
-uint16 SSLConfigService::default_version_min() {
-  return g_default_version_min;
-}
-
-// static
-uint16 SSLConfigService::default_version_max() {
-  return g_default_version_max;
-}
-
 void SSLConfigService::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
@@ -149,9 +75,7 @@ void SSLConfigService::ProcessConfigUpdate(const SSLConfig& orig_config,
       (orig_config.channel_id_enabled != new_config.channel_id_enabled) ||
       (orig_config.false_start_enabled != new_config.false_start_enabled) ||
       (orig_config.require_forward_secrecy !=
-       new_config.require_forward_secrecy) ||
-      (orig_config.unrestricted_ssl3_fallback_enabled !=
-       new_config.unrestricted_ssl3_fallback_enabled);
+       new_config.require_forward_secrecy);
 
   if (config_changed)
     NotifySSLConfigChange();
diff --git a/net/ssl/ssl_config_service.h b/net/ssl/ssl_config_service.h
index 08a59fd274..d6547223ea 100644
--- a/net/ssl/ssl_config_service.h
+++ b/net/ssl/ssl_config_service.h
@@ -7,157 +7,14 @@
 
 #include <vector>
 
-#include "base/basictypes.h"
 #include "base/memory/ref_counted.h"
 #include "base/observer_list.h"
-#include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
-#include "net/cert/cert_status_flags.h"
 #include "net/cert/crl_set.h"
-#include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_config.h"
 
 namespace net {
 
-// Various TLS/SSL ProtocolVersion values encoded as uint16
-//      struct {
-//          uint8 major;
-//          uint8 minor;
-//      } ProtocolVersion;
-// The most significant byte is |major|, and the least significant byte
-// is |minor|.
-enum {
-  SSL_PROTOCOL_VERSION_SSL3 = 0x0300,
-  SSL_PROTOCOL_VERSION_TLS1 = 0x0301,
-  SSL_PROTOCOL_VERSION_TLS1_1 = 0x0302,
-  SSL_PROTOCOL_VERSION_TLS1_2 = 0x0303,
-};
-
-// A collection of SSL-related configuration settings.
-struct NET_EXPORT SSLConfig {
-  // Default to revocation checking.
-  // Default to SSL 3.0 ~ default_version_max() on.
-  SSLConfig();
-  ~SSLConfig();
-
-  // Returns true if |cert| is one of the certs in |allowed_bad_certs|.
-  // The expected cert status is written to |cert_status|. |*cert_status| can
-  // be NULL if user doesn't care about the cert status.
-  bool IsAllowedBadCert(X509Certificate* cert, CertStatus* cert_status) const;
-
-  // Same as above except works with DER encoded certificates instead
-  // of X509Certificate.
-  bool IsAllowedBadCert(const base::StringPiece& der_cert,
-                        CertStatus* cert_status) const;
-
-  // rev_checking_enabled is true if online certificate revocation checking is
-  // enabled (i.e. OCSP and CRL fetching).
-  //
-  // Regardless of this flag, CRLSet checking is always enabled and locally
-  // cached revocation information will be considered.
-  bool rev_checking_enabled;
-
-  // rev_checking_required_local_anchors is true if revocation checking is
-  // required to succeed when certificates chain to local trust anchors (that
-  // is, non-public CAs). If revocation information cannot be obtained, such
-  // certificates will be treated as revoked ("hard-fail").
-  // Note: This is distinct from rev_checking_enabled. If true, it is
-  // equivalent to also setting rev_checking_enabled, but only when the
-  // certificate chain chains to a local (non-public) trust anchor.
-  bool rev_checking_required_local_anchors;
-
-  // The minimum and maximum protocol versions that are enabled.
-  // SSL 3.0 is 0x0300, TLS 1.0 is 0x0301, TLS 1.1 is 0x0302, and so on.
-  // (Use the SSL_PROTOCOL_VERSION_xxx enumerators defined above.)
-  // SSL 2.0 is not supported. If version_max < version_min, it means no
-  // protocol versions are enabled.
-  uint16 version_min;
-  uint16 version_max;
-
-  // Presorted list of cipher suites which should be explicitly prevented from
-  // being used in addition to those disabled by the net built-in policy.
-  //
-  // By default, all cipher suites supported by the underlying SSL
-  // implementation will be enabled except for:
-  // - Null encryption cipher suites.
-  // - Weak cipher suites: < 80 bits of security strength.
-  // - FORTEZZA cipher suites (obsolete).
-  // - IDEA cipher suites (RFC 5469 explains why).
-  // - Anonymous cipher suites.
-  // - ECDSA cipher suites on platforms that do not support ECDSA signed
-  //   certificates, as servers may use the presence of such ciphersuites as a
-  //   hint to send an ECDSA certificate.
-  // The ciphers listed in |disabled_cipher_suites| will be removed in addition
-  // to the above list.
-  //
-  // Though cipher suites are sent in TLS as "uint8 CipherSuite[2]", in
-  // big-endian form, they should be declared in host byte order, with the
-  // first uint8 occupying the most significant byte.
-  // Ex: To disable TLS_RSA_WITH_RC4_128_MD5, specify 0x0004, while to
-  // disable TLS_ECDH_ECDSA_WITH_RC4_128_SHA, specify 0xC002.
-  std::vector<uint16> disabled_cipher_suites;
-
-  bool channel_id_enabled;   // True if TLS channel ID extension is enabled.
-  bool false_start_enabled;  // True if we'll use TLS False Start.
-  // True if the Certificate Transparency signed_certificate_timestamp
-  // TLS extension is enabled.
-  bool signed_cert_timestamps_enabled;
-
-  // require_forward_secrecy, if true, causes only (EC)DHE cipher suites to be
-  // enabled. NOTE: this only applies to server sockets currently, although
-  // that could be extended if needed.
-  bool require_forward_secrecy;
-
-  // If |unrestricted_ssl3_fallback_enabled| is true, SSL 3.0 fallback will be
-  // enabled for all sites.
-  // If |unrestricted_ssl3_fallback_enabled| is false, SSL 3.0 fallback will be
-  // disabled for a site pinned to the Google pin list (indicating that it is a
-  // Google site).
-  bool unrestricted_ssl3_fallback_enabled;
-
-  // TODO(wtc): move the following members to a new SSLParams structure.  They
-  // are not SSL configuration settings.
-
-  struct NET_EXPORT CertAndStatus {
-    CertAndStatus();
-    ~CertAndStatus();
-
-    std::string der_cert;
-    CertStatus cert_status;
-  };
-
-  // Add any known-bad SSL certificate (with its cert status) to
-  // |allowed_bad_certs| that should not trigger an ERR_CERT_* error when
-  // calling SSLClientSocket::Connect.  This would normally be done in
-  // response to the user explicitly accepting the bad certificate.
-  std::vector<CertAndStatus> allowed_bad_certs;
-
-  // True if we should send client_cert to the server.
-  bool send_client_cert;
-
-  bool verify_ev_cert;  // True if we should verify the certificate for EV.
-
-  bool version_fallback;  // True if we are falling back to an older protocol
-                          // version (one still needs to decrement
-                          // version_max).
-
-  // If cert_io_enabled is false, then certificate verification will not
-  // result in additional HTTP requests. (For example: to fetch missing
-  // intermediates or to perform OCSP/CRL fetches.) It also implies that online
-  // revocation checking is disabled.
-  // NOTE: Only used by NSS.
-  bool cert_io_enabled;
-
-  // The list of application level protocols supported. If set, this will
-  // enable Next Protocol Negotiation (if supported). The order of the
-  // protocols doesn't matter expect for one case: if the server supports Next
-  // Protocol Negotiation, but there is no overlap between the server's and
-  // client's protocol sets, then the first protocol in this list will be
-  // requested by the client.
-  std::vector<std::string> next_protos;
-
-  scoped_refptr<X509Certificate> client_cert;
-};
-
 // The interface for retrieving the SSL configuration.  This interface
 // does not cover setting the SSL configuration, as on some systems, the
 // SSLConfigService objects may not have direct access to the configuration, or
@@ -193,12 +50,6 @@ class NET_EXPORT SSLConfigService
   static void SetCRLSet(scoped_refptr<CRLSet> crl_set);
   static scoped_refptr<CRLSet> GetCRLSet();
 
-  // Gets the default minimum protocol version.
-  static uint16 default_version_min();
-
-  // Gets the default maximum protocol version.
-  static uint16 default_version_max();
-
   // Is SNI available in this configuration?
   static bool IsSNIAvailable(SSLConfigService* service);
 
diff --git a/net/ssl/ssl_config_service_unittest.cc b/net/ssl/ssl_config_service_unittest.cc
index 42c8ae47b9..e8a4c33394 100644
--- a/net/ssl/ssl_config_service_unittest.cc
+++ b/net/ssl/ssl_config_service_unittest.cc
@@ -69,7 +69,6 @@ TEST(SSLConfigServiceTest, ConfigUpdatesNotifyObservers) {
   SSLConfig initial_config;
   initial_config.rev_checking_enabled = true;
   initial_config.false_start_enabled = false;
-  initial_config.unrestricted_ssl3_fallback_enabled = false;
   initial_config.version_min = SSL_PROTOCOL_VERSION_SSL3;
   initial_config.version_max = SSL_PROTOCOL_VERSION_TLS1_1;
 
@@ -87,10 +86,6 @@ TEST(SSLConfigServiceTest, ConfigUpdatesNotifyObservers) {
   EXPECT_CALL(observer, OnSSLConfigChanged()).Times(1);
   mock_service->SetSSLConfig(initial_config);
 
-  initial_config.unrestricted_ssl3_fallback_enabled = true;
-  EXPECT_CALL(observer, OnSSLConfigChanged()).Times(1);
-  mock_service->SetSSLConfig(initial_config);
-
   // Test that changing the SSL version range triggers updates.
   initial_config.version_min = SSL_PROTOCOL_VERSION_TLS1;
   EXPECT_CALL(observer, OnSSLConfigChanged()).Times(1);
diff --git a/net/test/embedded_test_server/embedded_test_server.cc b/net/test/embedded_test_server/embedded_test_server.cc
index b60cea4463..75b46e2216 100644
--- a/net/test/embedded_test_server/embedded_test_server.cc
+++ b/net/test/embedded_test_server/embedded_test_server.cc
@@ -20,7 +20,6 @@
 #include "net/test/embedded_test_server/http_connection.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
-#include "net/tools/fetch/http_listen_socket.h"
 
 namespace net {
 namespace test_server {
diff --git a/net/tools/dump_cache/dump_files.cc b/net/tools/dump_cache/dump_files.cc
index 607877803b..796f205e81 100644
--- a/net/tools/dump_cache/dump_files.cc
+++ b/net/tools/dump_cache/dump_files.cc
@@ -14,10 +14,10 @@
 #include <string>
 
 #include "base/file_util.h"
+#include "base/files/file.h"
 #include "base/files/file_enumerator.h"
 #include "base/format_macros.h"
 #include "base/message_loop/message_loop.h"
-#include "net/base/file_stream.h"
 #include "net/disk_cache/blockfile/block_files.h"
 #include "net/disk_cache/blockfile/disk_format.h"
 #include "net/disk_cache/blockfile/mapped_file.h"
@@ -31,14 +31,13 @@ const base::FilePath::CharType kIndexName[] = FILE_PATH_LITERAL("index");
 
 // Reads the |header_size| bytes from the beginning of file |name|.
 bool ReadHeader(const base::FilePath& name, char* header, int header_size) {
-  net::FileStream file(NULL);
-  file.OpenSync(name, base::PLATFORM_FILE_OPEN | base::PLATFORM_FILE_READ);
-  if (!file.IsOpen()) {
+  base::File file(name, base::File::FLAG_OPEN | base::File::FLAG_READ);
+  if (!file.IsValid()) {
     printf("Unable to open file %s\n", name.MaybeAsASCII().c_str());
     return false;
   }
 
-  int read = file.ReadSync(header, header_size);
+  int read = file.Read(0, header, header_size);
   if (read != header_size) {
     printf("Unable to read file %s\n", name.MaybeAsASCII().c_str());
     return false;
diff --git a/net/tools/fetch/fetch_client.cc b/net/tools/fetch/fetch_client.cc
deleted file mode 100644
index 830622c946..0000000000
--- a/net/tools/fetch/fetch_client.cc
+++ /dev/null
@@ -1,225 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/at_exit.h"
-#include "base/command_line.h"
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/message_loop/message_loop.h"
-#include "base/metrics/stats_counters.h"
-#include "base/strings/string_number_conversions.h"
-#include "build/build_config.h"
-#include "net/url_request/url_fetcher.h"
-#include "net/url_request/url_fetcher_delegate.h"
-#include "net/url_request/url_request_context.h"
-#include "net/url_request/url_request_context_builder.h"
-#include "net/url_request/url_request_context_getter.h"
-#include "url/gurl.h"
-
-#if defined(OS_LINUX) || defined(OS_ANDROID)
-#include "net/proxy/proxy_config.h"
-#include "net/proxy/proxy_config_service_fixed.h"
-#endif  // defined(OS_LINUX) || defined(OS_ANDROID)
-
-using net::URLFetcher;
-using net::URLFetcherDelegate;
-using net::URLRequestContextGetter;
-
-void usage(const char* program_name) {
-  printf("usage: %s --url=<url> [--n=<clients>] [--stats] [--use_cache] "
-         "[--v]\n",
-         program_name);
-  exit(1);
-}
-
-// Test Driver
-class Driver {
- public:
-  Driver()
-      : clients_(0) {}
-
-  void ClientStarted() { clients_++; }
-  void ClientStopped() {
-    if (!--clients_) {
-      base::MessageLoop::current()->Quit();
-    }
-  }
-
- private:
-  int clients_;
-};
-
-scoped_ptr<net::URLRequestContext>
-BuildURLRequestContext(bool use_cache) {
-  net::URLRequestContextBuilder builder;
-  builder.set_file_enabled(true);
-  builder.set_data_enabled(true);
-  builder.set_ftp_enabled(true);
-#if defined(OS_LINUX) || defined(OS_ANDROID)
-  // TODO(wtc): Remove this once http://crbug.com/146421 is fixed.
-  builder.set_proxy_config_service(
-      new net::ProxyConfigServiceFixed(net::ProxyConfig::CreateDirect()));
-#endif  // defined(OS_LINUX) || defined(OS_ANDROID)
-  if (!use_cache)
-    builder.DisableHttpCache();
-  scoped_ptr<net::URLRequestContext> context(builder.Build());
-  return context.Pass();
-}
-
-// Builds a URLRequestContext assuming there's only a single message loop.
-class SingleThreadRequestContextGetter : public net::URLRequestContextGetter {
- public:
-  // Since there's only a single thread, there's no need to worry
-  // about when |context_| gets created.
-  SingleThreadRequestContextGetter(
-      bool use_cache,
-      const scoped_refptr<base::SingleThreadTaskRunner>& main_task_runner)
-      : context_(BuildURLRequestContext(use_cache)),
-        main_task_runner_(main_task_runner) {}
-
-  virtual net::URLRequestContext* GetURLRequestContext() OVERRIDE {
-    return context_.get();
-  }
-
-  virtual scoped_refptr<base::SingleThreadTaskRunner> GetNetworkTaskRunner()
-      const OVERRIDE {
-    return main_task_runner_;
-  }
-
- private:
-  virtual ~SingleThreadRequestContextGetter() {}
-
-  const scoped_ptr<net::URLRequestContext> context_;
-  const scoped_refptr<base::SingleThreadTaskRunner> main_task_runner_;
-};
-
-static base::LazyInstance<Driver> g_driver = LAZY_INSTANCE_INITIALIZER;
-
-// A network client
-class Client : public URLFetcherDelegate {
- public:
-  Client(const std::string& url,
-         URLRequestContextGetter* getter) :
-      url_(url), getter_(getter), last_current_(0) {
-  }
-
-  void Start() {
-    fetcher_.reset(net::URLFetcher::Create(
-        url_, net::URLFetcher::GET, this));
-    if (!fetcher_.get())
-      return;
-    g_driver.Get().ClientStarted();
-    fetcher_->SetRequestContext(getter_);
-    fetcher_->Start();
-  };
-
- private:
-
-  // URLFetcherDelegate overrides.
-  virtual void OnURLFetchComplete(const URLFetcher* source) OVERRIDE {
-    base::StatsCounter requests("FetchClient.requests");
-    requests.Increment();
-    g_driver.Get().ClientStopped();
-    printf(".");
-  }
-
-  virtual void OnURLFetchDownloadProgress(const URLFetcher* source,
-                                          int64 current, int64 total) OVERRIDE {
-    base::StatsCounter bytes_read("FetchClient.bytes_read");
-    DCHECK(current >= last_current_);
-    int64 delta = current - last_current_;
-    bytes_read.Add(delta);
-    last_current_ = current;
-  }
-
-  virtual void OnURLFetchUploadProgress(const URLFetcher* source,
-                                        int64 current, int64 total) OVERRIDE {
-    CHECK(false);
-  }
-
-  GURL url_;
-  scoped_ptr<URLFetcher> fetcher_;
-  URLRequestContextGetter* getter_;
-  int64 last_current_;
-};
-
-int main(int argc, char** argv) {
-  base::AtExitManager exit;
-  base::StatsTable table("fetchclient", 50, 1000);
-  table.set_current(&table);
-
-  CommandLine::Init(argc, argv);
-  const CommandLine& parsed_command_line = *CommandLine::ForCurrentProcess();
-  std::string url = parsed_command_line.GetSwitchValueASCII("url");
-  if (!url.length())
-    usage(argv[0]);
-  int client_limit = 1;
-  if (parsed_command_line.HasSwitch("n")) {
-    base::StringToInt(parsed_command_line.GetSwitchValueASCII("n"),
-                      &client_limit);
-  }
-  bool use_cache = parsed_command_line.HasSwitch("use-cache");
-  if (parsed_command_line.HasSwitch("v")) {
-    logging::SetMinLogLevel(-10);
-  }
-
-  // Do work here.
-  base::MessageLoopForIO loop;
-
-  scoped_refptr<SingleThreadRequestContextGetter> context_getter(
-      new SingleThreadRequestContextGetter(use_cache,
-                                           loop.message_loop_proxy()));
-
-  {
-    base::StatsCounterTimer driver_time("FetchClient.total_time");
-    base::StatsScope<base::StatsCounterTimer> scope(driver_time);
-
-    Client** clients = new Client*[client_limit];
-    for (int i = 0; i < client_limit; i++) {
-      clients[i] = new Client(url, context_getter);
-      clients[i]->Start();
-    }
-
-    base::MessageLoop::current()->Run();
-  }
-
-  // Print Statistics here.
-  int num_clients = table.GetCounterValue("c:FetchClient.requests");
-  int test_time = table.GetCounterValue("t:FetchClient.total_time");
-  int bytes_read = table.GetCounterValue("c:FetchClient.bytes_read");
-
-  printf("\n");
-  printf("Clients     : %d\n", num_clients);
-  printf("Time        : %dms\n", test_time);
-  printf("Bytes Read  : %d\n", bytes_read);
-  if (test_time > 0) {
-    const char *units = "bps";
-    double bps = static_cast<float>(bytes_read * 8) /
-        (static_cast<float>(test_time) / 1000.0);
-
-    if (bps > (1024*1024)) {
-      bps /= (1024*1024);
-      units = "Mbps";
-    } else if (bps > 1024) {
-      bps /= 1024;
-      units = "Kbps";
-    }
-    printf("Bandwidth   : %.2f%s\n", bps, units);
-  }
-
-  if (parsed_command_line.HasSwitch("stats")) {
-    // Dump the stats table.
-    printf("<stats>\n");
-    int counter_max = table.GetMaxCounters();
-    for (int index = 0; index < counter_max; index++) {
-      std::string name(table.GetRowName(index));
-      if (name.length() > 0) {
-        int value = table.GetRowValue(index);
-        printf("%s:\t%d\n", name.c_str(), value);
-      }
-    }
-    printf("</stats>\n");
-  }
-  return 0;
-}
diff --git a/net/tools/fetch/fetch_server.cc b/net/tools/fetch/fetch_server.cc
deleted file mode 100644
index a2ffc5b570..0000000000
--- a/net/tools/fetch/fetch_server.cc
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/at_exit.h"
-#include "base/command_line.h"
-#include "base/memory/singleton.h"
-#include "base/message_loop/message_loop.h"
-#include "base/metrics/stats_counters.h"
-#include "net/base/completion_callback.h"
-#include "net/base/io_buffer.h"
-#include "net/base/net_errors.h"
-#include "net/base/winsock_init.h"
-#include "net/http/http_network_layer.h"
-#include "net/http/http_request_info.h"
-#include "net/http/http_transaction.h"
-#include "net/proxy/proxy_service.h"
-#include "net/tools/fetch/http_server.h"
-
-void usage(const char* program_name) {
-  printf("usage: %s\n", program_name);
-  exit(-1);
-}
-
-int main(int argc, char**argv) {
-  base::AtExitManager exit;
-  base::StatsTable table("fetchserver", 50, 1000);
-  table.set_current(&table);
-
-#if defined(OS_WIN)
-  net::EnsureWinsockInit();
-#endif  // defined(OS_WIN)
-
-  CommandLine::Init(0, NULL);
-  const CommandLine& parsed_command_line = *CommandLine::ForCurrentProcess();
-
-  // Do work here.
-  base::MessageLoop loop;
-  HttpServer server(std::string(),
-                    80);  // TODO(mbelshe): make port configurable
-  base::MessageLoop::current()->Run();
-
-  if (parsed_command_line.HasSwitch("stats")) {
-    // Dump the stats table.
-    printf("<stats>\n");
-    int counter_max = table.GetMaxCounters();
-    for (int index=0; index < counter_max; index++) {
-      std::string name(table.GetRowName(index));
-      if (name.length() > 0) {
-        int value = table.GetRowValue(index);
-        printf("%s:\t%d\n", name.c_str(), value);
-      }
-    }
-    printf("</stats>\n");
-  }
-
-}
diff --git a/net/tools/fetch/http_listen_socket.cc b/net/tools/fetch/http_listen_socket.cc
deleted file mode 100644
index 410a0ba55e..0000000000
--- a/net/tools/fetch/http_listen_socket.cc
+++ /dev/null
@@ -1,249 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/tools/fetch/http_listen_socket.h"
-
-#include "base/compiler_specific.h"
-#include "base/logging.h"
-#include "base/message_loop/message_loop.h"
-#include "base/stl_util.h"
-#include "base/strings/string_number_conversions.h"
-#include "net/tools/fetch/http_server_request_info.h"
-#include "net/tools/fetch/http_server_response_info.h"
-
-HttpListenSocket::HttpListenSocket(net::SocketDescriptor s,
-                                   HttpListenSocket::Delegate* delegate)
-    : net::TCPListenSocket(s, this),
-      delegate_(delegate) {
-}
-
-HttpListenSocket::~HttpListenSocket() {
-  STLDeleteElements(&connections_);
-}
-
-void HttpListenSocket::Accept() {
-  net::SocketDescriptor conn = net::TCPListenSocket::AcceptSocket();
-  DCHECK_NE(conn, net::kInvalidSocket);
-  if (conn == net::kInvalidSocket) {
-    // TODO
-  } else {
-    scoped_ptr<StreamListenSocket> sock(
-        new HttpListenSocket(conn, delegate_));
-    DidAccept(this, sock.Pass());
-  }
-}
-
-// static
-scoped_ptr<HttpListenSocket> HttpListenSocket::CreateAndListen(
-    const std::string& ip,
-    int port,
-    HttpListenSocket::Delegate* delegate) {
-  net::SocketDescriptor s = net::TCPListenSocket::CreateAndBind(ip, port);
-  if (s == net::kInvalidSocket) {
-    // TODO (ibrar): error handling.
-  } else {
-    scoped_ptr<HttpListenSocket> serv(new HttpListenSocket(s, delegate));
-    serv->Listen();
-    return serv.Pass();
-  }
-  return scoped_ptr<HttpListenSocket>();
-}
-
-//
-// HTTP Request Parser
-// This HTTP request parser uses a simple state machine to quickly parse
-// through the headers.  The parser is not 100% complete, as it is designed
-// for use in this simple test driver.
-//
-// Known issues:
-//   - does not handle whitespace on first HTTP line correctly.  Expects
-//     a single space between the method/url and url/protocol.
-
-// Input character types.
-enum header_parse_inputs {
-  INPUT_SPACE,
-  INPUT_CR,
-  INPUT_LF,
-  INPUT_COLON,
-  INPUT_DEFAULT,
-  MAX_INPUTS
-};
-
-// Parser states.
-enum header_parse_states {
-  ST_METHOD,     // Receiving the method.
-  ST_URL,        // Receiving the URL.
-  ST_PROTO,      // Receiving the protocol.
-  ST_HEADER,     // Starting a Request Header.
-  ST_NAME,       // Receiving a request header name.
-  ST_SEPARATOR,  // Receiving the separator between header name and value.
-  ST_VALUE,      // Receiving a request header value.
-  ST_DONE,       // Parsing is complete and successful.
-  ST_ERR,        // Parsing encountered invalid syntax.
-  MAX_STATES
-};
-
-// State transition table.
-int parser_state[MAX_STATES][MAX_INPUTS] = {
-/* METHOD    */ { ST_URL,       ST_ERR,     ST_ERR,  ST_ERR,       ST_METHOD },
-/* URL       */ { ST_PROTO,     ST_ERR,     ST_ERR,  ST_URL,       ST_URL },
-/* PROTOCOL  */ { ST_ERR,       ST_HEADER,  ST_NAME, ST_ERR,       ST_PROTO },
-/* HEADER    */ { ST_ERR,       ST_ERR,     ST_NAME, ST_ERR,       ST_ERR },
-/* NAME      */ { ST_SEPARATOR, ST_DONE,    ST_ERR,  ST_SEPARATOR, ST_NAME },
-/* SEPARATOR */ { ST_SEPARATOR, ST_ERR,     ST_ERR,  ST_SEPARATOR, ST_VALUE },
-/* VALUE     */ { ST_VALUE,     ST_HEADER,  ST_NAME, ST_VALUE,     ST_VALUE },
-/* DONE      */ { ST_DONE,      ST_DONE,    ST_DONE, ST_DONE,      ST_DONE },
-/* ERR       */ { ST_ERR,       ST_ERR,     ST_ERR,  ST_ERR,       ST_ERR }
-};
-
-// Convert an input character to the parser's input token.
-int charToInput(char ch) {
-  switch(ch) {
-    case ' ':
-      return INPUT_SPACE;
-    case '\r':
-      return INPUT_CR;
-    case '\n':
-      return INPUT_LF;
-    case ':':
-      return INPUT_COLON;
-  }
-  return INPUT_DEFAULT;
-}
-
-HttpServerRequestInfo* HttpListenSocket::ParseHeaders() {
-  int pos = 0;
-  int data_len = recv_data_.length();
-  int state = ST_METHOD;
-  HttpServerRequestInfo* info = new HttpServerRequestInfo();
-  std::string buffer;
-  std::string header_name;
-  std::string header_value;
-  while (pos < data_len) {
-    char ch = recv_data_[pos++];
-    int input = charToInput(ch);
-    int next_state = parser_state[state][input];
-
-    bool transition = (next_state != state);
-    if (transition) {
-      // Do any actions based on state transitions.
-      switch (state) {
-        case ST_METHOD:
-          info->method = buffer;
-          buffer.clear();
-          break;
-        case ST_URL:
-          info->url = GURL(buffer);
-          buffer.clear();
-          break;
-        case ST_PROTO:
-          // TODO(mbelshe): Deal better with parsing protocol.
-          DCHECK(buffer == "HTTP/1.1");
-          buffer.clear();
-          break;
-        case ST_NAME:
-          header_name = buffer;
-          buffer.clear();
-          break;
-        case ST_VALUE:
-          header_value = buffer;
-          // TODO(mbelshe): Deal better with duplicate headers.
-          DCHECK(info->headers.find(header_name) == info->headers.end());
-          info->headers[header_name] = header_value;
-          buffer.clear();
-          break;
-      }
-      state = next_state;
-    } else {
-      // Do any actions based on current state.
-      switch (state) {
-        case ST_METHOD:
-        case ST_URL:
-        case ST_PROTO:
-        case ST_VALUE:
-        case ST_NAME:
-          buffer.append(&ch, 1);
-          break;
-        case ST_DONE:
-          recv_data_ = recv_data_.substr(pos);
-          return info;
-        case ST_ERR:
-          delete info;
-          return NULL;
-      }
-    }
-  }
-  // No more characters, but we haven't finished parsing yet.
-  delete info;
-  return NULL;
-}
-
-void HttpListenSocket::DidAccept(
-    net::StreamListenSocket* server,
-    scoped_ptr<net::StreamListenSocket> connection) {
-  connections_.insert(connection.release());
-}
-
-void HttpListenSocket::DidRead(net::StreamListenSocket* connection,
-                               const char* data,
-                               int len) {
-  recv_data_.append(data, len);
-  while (recv_data_.length()) {
-    HttpServerRequestInfo* request = ParseHeaders();
-    if (!request)
-      break;
-    delegate_->OnRequest(this, request);
-    delete request;
-  }
-}
-
-void HttpListenSocket::DidClose(net::StreamListenSocket* sock) {
-  size_t count = connections_.erase(sock);
-  DCHECK_EQ(1u, count);
-  delete sock;
-}
-
-// Convert the numeric status code to a string.
-// e.g.  200 -> "200 OK".
-std::string ServerStatus(int code) {
-  switch(code) {
-    case 200:
-      return std::string("200 OK");
-    // TODO(mbelshe): handle other codes.
-  }
-  NOTREACHED();
-  return std::string();
-}
-
-void HttpListenSocket::Respond(HttpServerResponseInfo* info,
-                               std::string& data) {
-  std::string response;
-
-  // Status line.
-  response = info->protocol + " ";
-  response += ServerStatus(info->status);
-  response += "\r\n";
-
-  // Standard headers.
-  if (info->content_type.length())
-    response += "Content-type: " + info->content_type + "\r\n";
-
-  if (info->content_length > 0)
-    response += "Content-length: " + base::IntToString(info->content_length) +
-        "\r\n";
-
-  if (info->connection_close)
-    response += "Connection: close\r\n";
-
-  // TODO(mbelshe): support additional headers.
-
-  // End of headers.
-  response += "\r\n";
-
-  // Add data.
-  response += data;
-
-  // Write it all out.
-  this->Send(response, false);
-}
diff --git a/net/tools/fetch/http_listen_socket.h b/net/tools/fetch/http_listen_socket.h
deleted file mode 100644
index e0a58c03e2..0000000000
--- a/net/tools/fetch/http_listen_socket.h
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_TOOLS_HTTP_LISTEN_SOCKET_H_
-#define NET_BASE_TOOLS_HTTP_LISTEN_SOCKET_H_
-
-#include <set>
-
-#include "base/message_loop/message_loop.h"
-#include "net/socket/stream_listen_socket.h"
-#include "net/socket/tcp_listen_socket.h"
-
-class HttpServerRequestInfo;
-class HttpServerResponseInfo;
-
-// Implements a simple HTTP listen socket on top of the raw socket interface.
-class HttpListenSocket : public net::TCPListenSocket,
-                         public net::StreamListenSocket::Delegate {
- public:
-  class Delegate {
-   public:
-    virtual void OnRequest(HttpListenSocket* connection,
-                           HttpServerRequestInfo* info) = 0;
-
-   protected:
-    virtual ~Delegate() {}
-  };
-
-  virtual ~HttpListenSocket();
-
-  static scoped_ptr<HttpListenSocket> CreateAndListen(
-      const std::string& ip, int port, HttpListenSocket::Delegate* delegate);
-
-  // Send a server response.
-  // TODO(mbelshe): make this capable of non-ascii data.
-  void Respond(HttpServerResponseInfo* info, std::string& data);
-
-  // StreamListenSocket::Delegate.
-  virtual void DidAccept(
-      net::StreamListenSocket* server,
-      scoped_ptr<net::StreamListenSocket> connection) OVERRIDE;
-  virtual void DidRead(net::StreamListenSocket* connection,
-                       const char* data, int len) OVERRIDE;
-  virtual void DidClose(net::StreamListenSocket* sock) OVERRIDE;
-
- protected:
-  // Overrides TCPListenSocket::Accept().
-  virtual void Accept() OVERRIDE;
-
- private:
-  static const int kReadBufSize = 16 * 1024;
-
-  // Must run in the IO thread.
-  HttpListenSocket(net::SocketDescriptor s, HttpListenSocket::Delegate* del);
-
-  // Expects the raw data to be stored in recv_data_. If parsing is successful,
-  // will remove the data parsed from recv_data_, leaving only the unused
-  // recv data.
-  HttpServerRequestInfo* ParseHeaders();
-
-  HttpListenSocket::Delegate* const delegate_;
-  std::string recv_data_;
-
-  std::set<StreamListenSocket*> connections_;
-
-  DISALLOW_COPY_AND_ASSIGN(HttpListenSocket);
-};
-
-#endif // NET_BASE_TOOLS_HTTP_LISTEN_SOCKET_H_
diff --git a/net/tools/fetch/http_server.cc b/net/tools/fetch/http_server.cc
deleted file mode 100644
index 71afb67bc3..0000000000
--- a/net/tools/fetch/http_server.cc
+++ /dev/null
@@ -1,12 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/tools/fetch/http_server.h"
-
-HttpServer::HttpServer(std::string ip, int port)
-    : session_(new HttpSession(ip, port)) {
-}
-
-HttpServer::~HttpServer() {
-}
diff --git a/net/tools/fetch/http_server.h b/net/tools/fetch/http_server.h
deleted file mode 100644
index 691413078e..0000000000
--- a/net/tools/fetch/http_server.h
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_TOOLS_HTTP_SERVER_H_
-#define NET_BASE_TOOLS_HTTP_SERVER_H_
-
-#include "base/basictypes.h"
-#include "base/memory/scoped_ptr.h"
-#include "net/tools/fetch/http_session.h"
-
-// Implements a simple, single-threaded HttpServer.
-// Right now, this class implements no functionality above and beyond
-// the HttpSession.
-class HttpServer {
-public:
-  HttpServer(std::string ip, int port);
-  ~HttpServer();
-
-private:
-  scoped_ptr<HttpSession> session_;
-  DISALLOW_COPY_AND_ASSIGN(HttpServer);
-};
-
-#endif // NET_BASE_TOOLS_HTTP_SERVER_H_
-
diff --git a/net/tools/fetch/http_server_request_info.cc b/net/tools/fetch/http_server_request_info.cc
deleted file mode 100644
index 52b6860e0a..0000000000
--- a/net/tools/fetch/http_server_request_info.cc
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/tools/fetch/http_server_request_info.h"
-
-HttpServerRequestInfo::HttpServerRequestInfo()
-    : net::HttpRequestInfo() {
-}
-
-HttpServerRequestInfo::~HttpServerRequestInfo() {}
diff --git a/net/tools/fetch/http_server_request_info.h b/net/tools/fetch/http_server_request_info.h
deleted file mode 100644
index 9b0fae18d1..0000000000
--- a/net/tools/fetch/http_server_request_info.h
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_TOOLS_HTTP_SERVER_REQUEST_INFO_H_
-#define NET_BASE_TOOLS_HTTP_SERVER_REQUEST_INFO_H_
-
-#include <map>
-#include <string>
-
-#include "net/http/http_request_info.h"
-
-// Meta information about an HTTP request.
-// This is geared toward servers in that it keeps a map of the headers and
-// values rather than just a list of header strings (which net::HttpRequestInfo
-// does).
-class HttpServerRequestInfo : public net::HttpRequestInfo {
- public:
-  HttpServerRequestInfo();
-  virtual ~HttpServerRequestInfo();
-
-  // A map of the names -> values for HTTP headers.
-  std::map<std::string, std::string> headers;
-};
-
-#endif  // NET_BASE_TOOLS_HTTP_SERVER_REQUEST_INFO_H_
diff --git a/net/tools/fetch/http_server_response_info.cc b/net/tools/fetch/http_server_response_info.cc
deleted file mode 100644
index d9ca02a6d0..0000000000
--- a/net/tools/fetch/http_server_response_info.cc
+++ /dev/null
@@ -1,11 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/tools/fetch/http_server_response_info.h"
-
-HttpServerResponseInfo::HttpServerResponseInfo()
-    : status(200), content_length(0), connection_close(false) {
-}
-
-HttpServerResponseInfo::~HttpServerResponseInfo() {}
diff --git a/net/tools/fetch/http_server_response_info.h b/net/tools/fetch/http_server_response_info.h
deleted file mode 100644
index e01f7300d9..0000000000
--- a/net/tools/fetch/http_server_response_info.h
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_HTTP_HTTP_RESPONSE_INFO_H_
-#define NET_HTTP_HTTP_RESPONSE_INFO_H_
-
-#include <map>
-#include <string>
-
-// Meta information about a server response.
-class HttpServerResponseInfo {
- public:
-  HttpServerResponseInfo();
-  ~HttpServerResponseInfo();
-
-  // The response protocol.
-  std::string protocol;
-
-  // The status code.
-  int status;
-
-  // The server identifier.
-  std::string server_name;
-
-  // The content type.
-  std::string content_type;
-
-  // The content length.
-  int content_length;
-
-  // Should we close the connection.
-  bool connection_close;
-
-  // Additional response headers.
-  std::map<std::string, std::string> headers;
-};
-
-#endif  // NET_HTTP_HTTP_RESPONSE_INFO_H_
diff --git a/net/tools/fetch/http_session.cc b/net/tools/fetch/http_session.cc
deleted file mode 100644
index d9e991b798..0000000000
--- a/net/tools/fetch/http_session.cc
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/tools/fetch/http_session.h"
-#include "net/tools/fetch/http_server_response_info.h"
-
-HttpSession::HttpSession(const std::string& ip, int port)
-    : socket_(HttpListenSocket::CreateAndListen(ip, port, this)) {
-}
-
-HttpSession::~HttpSession() {
-}
-
-void HttpSession::OnRequest(HttpListenSocket* connection,
-                            HttpServerRequestInfo* info) {
-  // TODO(mbelshe):  Make this function more interesting.
-
-  // Generate a 10KB sequence of data.
-  CR_DEFINE_STATIC_LOCAL(std::string, data, ());
-  if (data.length() == 0) {
-    while (data.length() < (10 * 1024))
-      data += 'a' + (rand() % 26);
-  }
-
-  HttpServerResponseInfo response_info;
-  response_info.protocol = "HTTP/1.1";
-  response_info.status = 200;
-  response_info.content_type = "text/plain";
-  response_info.content_length = data.length();
-
-  connection->Respond(&response_info, data);
-}
diff --git a/net/tools/fetch/http_session.h b/net/tools/fetch/http_session.h
deleted file mode 100644
index b0266f2a9f..0000000000
--- a/net/tools/fetch/http_session.h
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_BASE_TOOLS_HTTP_SESSION_H_
-#define NET_BASE_TOOLS_HTTP_SESSION_H_
-
-#include "base/basictypes.h"
-#include "net/http/http_request_info.h"
-#include "net/tools/fetch/http_listen_socket.h"
-
-// An HttpSession encapsulates a server-side HTTP listen socket.
-class HttpSession : HttpListenSocket::Delegate {
- public:
-  HttpSession(const std::string& ip, int port);
-  virtual ~HttpSession();
-
-  virtual void OnRequest(HttpListenSocket* connection,
-                         HttpServerRequestInfo* info) OVERRIDE;
-
- private:
-  scoped_ptr<HttpListenSocket> socket_;
-  DISALLOW_COPY_AND_ASSIGN(HttpSession);
-};
-
-#endif // NET_BASE_TOOLS_HTTP_SESSION_H_
-
diff --git a/net/tools/quic/end_to_end_test.cc b/net/tools/quic/end_to_end_test.cc
index 7014babe8a..dcba71aefb 100644
--- a/net/tools/quic/end_to_end_test.cc
+++ b/net/tools/quic/end_to_end_test.cc
@@ -156,7 +156,8 @@ class EndToEndTest : public ::testing::TestWithParam<TestParams> {
     CHECK(net::ParseIPLiteralToNumber("127.0.0.1", &ip));
     uint port = 0;
     server_address_ = IPEndPoint(ip, port);
-    server_key_ = QuicSessionKey("example.com", port, false);
+    server_key_ = QuicSessionKey("example.com", port, false,
+                                 kPrivacyModeDisabled);
 
     client_supported_versions_ = GetParam().client_supported_versions;
     server_supported_versions_ = GetParam().server_supported_versions;
@@ -225,8 +226,8 @@ class EndToEndTest : public ::testing::TestWithParam<TestParams> {
     server_thread_->Initialize();
     server_address_ = IPEndPoint(server_address_.address(),
                                  server_thread_->GetPort());
-    server_key_ = QuicSessionKey(server_key_.host(),
-                                  server_thread_->GetPort(), false);
+    server_key_ = QuicSessionKey(server_key_.host(), server_thread_->GetPort(),
+                                 false, kPrivacyModeDisabled);
 
     QuicDispatcher* dispatcher =
         QuicServerPeer::GetDispatcher(server_thread_->server());
diff --git a/net/tools/quic/quic_client_bin.cc b/net/tools/quic/quic_client_bin.cc
index db2de1462c..8f4ad50298 100644
--- a/net/tools/quic/quic_client_bin.cc
+++ b/net/tools/quic/quic_client_bin.cc
@@ -17,6 +17,7 @@
 #include "base/logging.h"
 #include "base/strings/string_number_conversions.h"
 #include "net/base/ip_endpoint.h"
+#include "net/base/privacy_mode.h"
 #include "net/quic/quic_protocol.h"
 #include "net/tools/quic/quic_client.h"
 
@@ -73,7 +74,8 @@ int main(int argc, char *argv[]) {
   // TODO(rjshade): Set version on command line.
   net::tools::QuicClient client(
       net::IPEndPoint(addr, FLAGS_port),
-      net::QuicSessionKey(FLAGS_hostname, FLAGS_port, FLAGS_secure),
+      net::QuicSessionKey(FLAGS_hostname, FLAGS_port, FLAGS_secure,
+                          net::kPrivacyModeDisabled),
       net::QuicSupportedVersions(), true);
 
   client.Initialize();
diff --git a/net/tools/quic/quic_client_session.cc b/net/tools/quic/quic_client_session.cc
index 54f46e36cb..29b178a5c1 100644
--- a/net/tools/quic/quic_client_session.cc
+++ b/net/tools/quic/quic_client_session.cc
@@ -19,13 +19,21 @@ QuicClientSession::QuicClientSession(
     const QuicConfig& config,
     QuicConnection* connection,
     QuicCryptoClientConfig* crypto_config)
-    : QuicSession(connection, config),
+    : QuicClientSessionBase(connection, config),
       crypto_stream_(server_key, this, NULL, crypto_config) {
 }
 
 QuicClientSession::~QuicClientSession() {
 }
 
+void QuicClientSession::OnProofValid(
+    const QuicCryptoClientConfig::CachedState& /*cached*/) {
+}
+
+void QuicClientSession::OnProofVerifyDetailsAvailable(
+    const ProofVerifyDetails& /*verify_details*/) {
+}
+
 QuicSpdyClientStream* QuicClientSession::CreateOutgoingDataStream() {
   if (!crypto_stream_.encryption_established()) {
     DVLOG(1) << "Encryption not active so no outgoing stream created.";
diff --git a/net/tools/quic/quic_client_session.h b/net/tools/quic/quic_client_session.h
index f3bce29039..6f7a1ba6df 100644
--- a/net/tools/quic/quic_client_session.h
+++ b/net/tools/quic/quic_client_session.h
@@ -10,9 +10,9 @@
 #include <string>
 
 #include "base/basictypes.h"
+#include "net/quic/quic_client_session_base.h"
 #include "net/quic/quic_crypto_client_stream.h"
 #include "net/quic/quic_protocol.h"
-#include "net/quic/quic_session.h"
 #include "net/tools/quic/quic_spdy_client_stream.h"
 
 namespace net {
@@ -23,7 +23,7 @@ class ReliableQuicStream;
 
 namespace tools {
 
-class QuicClientSession : public QuicSession {
+class QuicClientSession : public QuicClientSessionBase {
  public:
   QuicClientSession(const QuicSessionKey& server_key,
                     const QuicConfig& config,
@@ -31,6 +31,12 @@ class QuicClientSession : public QuicSession {
                     QuicCryptoClientConfig* crypto_config);
   virtual ~QuicClientSession();
 
+  // QuicClientSessionBase methods:
+  virtual void OnProofValid(
+      const QuicCryptoClientConfig::CachedState& cached) OVERRIDE;
+  virtual void OnProofVerifyDetailsAvailable(
+      const ProofVerifyDetails& verify_details) OVERRIDE;
+
   // QuicSession methods:
   virtual QuicSpdyClientStream* CreateOutgoingDataStream() OVERRIDE;
   virtual QuicCryptoClientStream* GetCryptoStream() OVERRIDE;
diff --git a/net/tools/quic/quic_client_session_test.cc b/net/tools/quic/quic_client_session_test.cc
index a0b49d4df5..57992cd24e 100644
--- a/net/tools/quic/quic_client_session_test.cc
+++ b/net/tools/quic/quic_client_session_test.cc
@@ -35,7 +35,7 @@ class ToolsQuicClientSessionTest
                                                SupportedVersions(GetParam()))) {
     crypto_config_.SetDefaults();
     session_.reset(new QuicClientSession(
-        QuicSessionKey(kServerHostname, kPort, false),
+        QuicSessionKey(kServerHostname, kPort, false, kPrivacyModeDisabled),
         DefaultQuicConfig(), connection_, &crypto_config_));
     session_->config()->SetDefaults();
   }
diff --git a/net/tools/quic/quic_spdy_client_stream_test.cc b/net/tools/quic/quic_spdy_client_stream_test.cc
index 40105dd25e..5dd10d009c 100644
--- a/net/tools/quic/quic_spdy_client_stream_test.cc
+++ b/net/tools/quic/quic_spdy_client_stream_test.cc
@@ -30,7 +30,8 @@ class QuicSpdyClientStreamTest : public TestWithParam<QuicVersion> {
   QuicSpdyClientStreamTest()
       : connection_(new StrictMock<MockConnection>(
             false, SupportedVersions(GetParam()))),
-        session_(QuicSessionKey("example.com", 80, false), DefaultQuicConfig(),
+        session_(QuicSessionKey("example.com", 80, false, kPrivacyModeDisabled),
+                 DefaultQuicConfig(),
                  connection_, &crypto_config_),
         body_("hello world") {
     crypto_config_.SetDefaults();
diff --git a/net/tools/quic/test_tools/quic_test_client.cc b/net/tools/quic/test_tools/quic_test_client.cc
index d88d836f83..7413202717 100644
--- a/net/tools/quic/test_tools/quic_test_client.cc
+++ b/net/tools/quic/test_tools/quic_test_client.cc
@@ -39,6 +39,7 @@ class RecordingProofVerifier : public ProofVerifier {
                              const string& server_config,
                              const vector<string>& certs,
                              const string& signature,
+                             const net::ProofVerifyContext* context,
                              string* error_details,
                              scoped_ptr<ProofVerifyDetails>* details,
                              ProofVerifierCallback* callback) OVERRIDE {
@@ -214,7 +215,7 @@ ssize_t QuicTestClient::SendMessage(const HTTPMessage& message) {
     if (!url.host().empty()) {
       client_->set_server_key(
           QuicSessionKey(url.host(), url.EffectiveIntPort(),
-                         url.SchemeIs("https") ? true : false));
+                         url.SchemeIs("https"), kPrivacyModeDisabled));
     }
   }
 
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index 0a1f59b0c5..13aafcd538 100755
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -27,6 +27,7 @@ import re
 import select
 import socket
 import SocketServer
+import ssl
 import struct
 import sys
 import threading
@@ -51,7 +52,10 @@ import tlslite.api
 # Insert at the beginning of the path, we want this to be used
 # unconditionally.
 sys.path.insert(0, os.path.join(ROOT_DIR, 'third_party', 'pywebsocket', 'src'))
+import mod_pywebsocket.standalone
 from mod_pywebsocket.standalone import WebSocketServer
+# import manually
+mod_pywebsocket.standalone.ssl = ssl
 
 SERVER_HTTP = 0
 SERVER_FTP = 1
@@ -84,6 +88,7 @@ class WebSocketOptions:
     self.certificate = None
     self.tls_client_auth = False
     self.tls_client_ca = None
+    self.tls_module = 'ssl'
     self.use_basic_auth = False
 
 
diff --git a/net/udp/udp_socket_libevent.cc b/net/udp/udp_socket_libevent.cc
index 9c8215ca74..564627631a 100644
--- a/net/udp/udp_socket_libevent.cc
+++ b/net/udp/udp_socket_libevent.cc
@@ -128,7 +128,7 @@ int UDPSocketLibevent::GetPeerAddress(IPEndPoint* address) const {
       return MapSystemError(errno);
     scoped_ptr<IPEndPoint> address(new IPEndPoint());
     if (!address->FromSockAddr(storage.addr, storage.addr_len))
-      return ERR_FAILED;
+      return ERR_ADDRESS_INVALID;
     remote_address_.reset(address.release());
   }
 
@@ -148,7 +148,7 @@ int UDPSocketLibevent::GetLocalAddress(IPEndPoint* address) const {
       return MapSystemError(errno);
     scoped_ptr<IPEndPoint> address(new IPEndPoint());
     if (!address->FromSockAddr(storage.addr, storage.addr_len))
-      return ERR_FAILED;
+      return ERR_ADDRESS_INVALID;
     local_address_.reset(address.release());
     net_log_.AddEvent(NetLog::TYPE_UDP_LOCAL_ADDRESS,
                       CreateNetLogUDPConnectCallback(local_address_.get()));
@@ -476,7 +476,7 @@ int UDPSocketLibevent::InternalRecvFrom(IOBuffer* buf, int buf_len,
   if (bytes_transferred >= 0) {
     result = bytes_transferred;
     if (address && !address->FromSockAddr(storage.addr, storage.addr_len))
-      result = ERR_FAILED;
+      result = ERR_ADDRESS_INVALID;
   } else {
     result = MapSystemError(errno);
   }
@@ -494,7 +494,7 @@ int UDPSocketLibevent::InternalSendTo(IOBuffer* buf, int buf_len,
     storage.addr_len = 0;
   } else {
     if (!address->ToSockAddr(storage.addr, &storage.addr_len)) {
-      int result = ERR_FAILED;
+      int result = ERR_ADDRESS_INVALID;
       LogWrite(result, NULL, NULL);
       return result;
     }
diff --git a/net/udp/udp_socket_win.cc b/net/udp/udp_socket_win.cc
index beaf400db0..78f51c9723 100644
--- a/net/udp/udp_socket_win.cc
+++ b/net/udp/udp_socket_win.cc
@@ -390,18 +390,42 @@ int UDPSocketWin::CreateSocket(int addr_family) {
 
 bool UDPSocketWin::SetReceiveBufferSize(int32 size) {
   DCHECK(CalledOnValidThread());
-  int rv = setsockopt(socket_, SOL_SOCKET, SO_RCVBUF,
-                      reinterpret_cast<const char*>(&size), sizeof(size));
-  DCHECK(!rv) << "Could not set socket receive buffer size: " << errno;
-  return rv == 0;
+  setsockopt(socket_, SOL_SOCKET, SO_RCVBUF,
+             reinterpret_cast<const char*>(&size), sizeof(size));
+  // If the setsockopt fails, but the buffer is big enough, we will return
+  // success. It is not worth testing the return value as we still need to check
+  // via getsockopt anyway according to Windows documentation.
+  int32 actual_size = 0;
+  int option_size = sizeof(actual_size);
+  int rv = getsockopt(socket_, SOL_SOCKET, SO_RCVBUF,
+                      reinterpret_cast<char*>(&actual_size), &option_size);
+  if (rv != 0)
+    return false;
+  if (actual_size < size) {
+    UMA_HISTOGRAM_CUSTOM_COUNTS("Net.SocketReceiveBufferUnchangeable",
+                                actual_size, 1000, 1000000, 50);
+  }
+  return actual_size >= size;
 }
 
 bool UDPSocketWin::SetSendBufferSize(int32 size) {
   DCHECK(CalledOnValidThread());
-  int rv = setsockopt(socket_, SOL_SOCKET, SO_SNDBUF,
-                      reinterpret_cast<const char*>(&size), sizeof(size));
-  DCHECK(!rv) << "Could not set socket send buffer size: " << errno;
-  return rv == 0;
+  setsockopt(socket_, SOL_SOCKET, SO_SNDBUF,
+             reinterpret_cast<const char*>(&size), sizeof(size));
+  // If the setsockopt fails, but the buffer is big enough, we will return
+  // success. It is not worth testing the return value as we still need to check
+  // via getsockopt anyway according to Windows documentation.
+  int32 actual_size = 0;
+  int option_size = sizeof(actual_size);
+  int rv = getsockopt(socket_, SOL_SOCKET, SO_SNDBUF,
+                      reinterpret_cast<char*>(&actual_size), &option_size);
+  if (rv != 0)
+    return false;
+  if (actual_size < size) {
+    UMA_HISTOGRAM_CUSTOM_COUNTS("Net.SocketUnchangeableSendBuffer",
+                                actual_size, 1000, 1000000, 50);
+  }
+  return actual_size >= size;
 }
 
 void UDPSocketWin::AllowAddressReuse() {
@@ -529,7 +553,7 @@ int UDPSocketWin::InternalRecvFrom(IOBuffer* buf, int buf_len,
       // Convert address.
       if (address && result >= 0) {
         if (!ReceiveAddressToIPEndpoint(address))
-          result = ERR_FAILED;
+          result = ERR_ADDRESS_INVALID;
       }
       LogRead(result, buf->data());
       return result;
@@ -558,7 +582,7 @@ int UDPSocketWin::InternalSendTo(IOBuffer* buf, int buf_len,
     storage.addr_len = 0;
   } else {
     if (!address->ToSockAddr(addr, &storage.addr_len)) {
-      int result = ERR_FAILED;
+      int result = ERR_ADDRESS_INVALID;
       LogWrite(result, NULL, NULL);
       return result;
     }
diff --git a/net/url_request/url_request_context_builder.cc b/net/url_request/url_request_context_builder.cc
index 744dc3ba4c..8405163526 100644
--- a/net/url_request/url_request_context_builder.cc
+++ b/net/url_request/url_request_context_builder.cc
@@ -64,8 +64,8 @@ class BasicNetworkDelegate : public NetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers)
-      OVERRIDE {
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE {
     return OK;
   }
 
diff --git a/net/url_request/url_request_http_job.cc b/net/url_request/url_request_http_job.cc
index 7207777517..41b15158d5 100644
--- a/net/url_request/url_request_http_job.cc
+++ b/net/url_request/url_request_http_job.cc
@@ -24,7 +24,8 @@
 #include "net/base/network_delegate.h"
 #include "net/base/sdch_manager.h"
 #include "net/cert/cert_status_flags.h"
-#include "net/cookies/cookie_monster.h"
+#include "net/cookies/cookie_store.h"
+#include "net/http/http_content_disposition.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
@@ -58,6 +59,7 @@ class URLRequestHttpJob::HttpFilterContext : public FilterContext {
   // FilterContext implementation.
   virtual bool GetMimeType(std::string* mime_type) const OVERRIDE;
   virtual bool GetURL(GURL* gurl) const OVERRIDE;
+  virtual bool GetContentDisposition(std::string* disposition) const OVERRIDE;
   virtual base::Time GetRequestTime() const OVERRIDE;
   virtual bool IsCachedContent() const OVERRIDE;
   virtual bool IsDownload() const OVERRIDE;
@@ -96,6 +98,13 @@ bool URLRequestHttpJob::HttpFilterContext::GetURL(GURL* gurl) const {
   return true;
 }
 
+bool URLRequestHttpJob::HttpFilterContext::GetContentDisposition(
+    std::string* disposition) const {
+  HttpResponseHeaders* headers = job_->GetResponseHeaders();
+  void *iter = NULL;
+  return headers->EnumerateHeader(&iter, "Content-Disposition", disposition);
+}
+
 base::Time URLRequestHttpJob::HttpFilterContext::GetRequestTime() const {
   return job_->request() ? job_->request()->request_time() : base::Time();
 }
@@ -541,15 +550,10 @@ void URLRequestHttpJob::AddCookieHeaderAndStart() {
 
   CookieStore* cookie_store = GetCookieStore();
   if (cookie_store && !(request_info_.load_flags & LOAD_DO_NOT_SEND_COOKIES)) {
-    net::CookieMonster* cookie_monster = cookie_store->GetCookieMonster();
-    if (cookie_monster) {
-      cookie_monster->GetAllCookiesForURLAsync(
-          request_->url(),
-          base::Bind(&URLRequestHttpJob::CheckCookiePolicyAndLoad,
-                     weak_factory_.GetWeakPtr()));
-    } else {
-      CheckCookiePolicyAndLoad(CookieList());
-    }
+    cookie_store->GetAllCookiesForURLAsync(
+        request_->url(),
+        base::Bind(&URLRequestHttpJob::CheckCookiePolicyAndLoad,
+                   weak_factory_.GetWeakPtr()));
   } else {
     DoStartTransaction();
   }
@@ -803,11 +807,13 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
       // |on_headers_received_callback_| or
       // |NetworkDelegate::URLRequestDestroyed()| has been called.
       OnCallToDelegate();
+      allowed_unsafe_redirect_url_ = GURL();
       int error = network_delegate()->NotifyHeadersReceived(
           request_,
           on_headers_received_callback_,
           headers.get(),
-          &override_response_headers_);
+          &override_response_headers_,
+          &allowed_unsafe_redirect_url_);
       if (error != net::OK) {
         if (error == net::ERR_IO_PENDING) {
           awaiting_callback_ = true;
@@ -1035,6 +1041,15 @@ bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
       (location.scheme() == "http" || location.scheme() == "https")) {
     return true;
   }
+  // Delegates may mark an URL as safe for redirection.
+  if (allowed_unsafe_redirect_url_.is_valid()) {
+    GURL::Replacements replacements;
+    replacements.ClearRef();
+    if (allowed_unsafe_redirect_url_.ReplaceComponents(replacements) ==
+        location.ReplaceComponents(replacements)) {
+      return true;
+    }
+  }
   // Query URLRequestJobFactory as to whether |location| would be safe to
   // redirect to.
   return request_->context()->job_factory() &&
@@ -1252,8 +1267,27 @@ int64 URLRequestHttpJob::GetTotalReceivedBytes() const {
 }
 
 void URLRequestHttpJob::DoneReading() {
-  if (transaction_.get())
+  if (transaction_) {
     transaction_->DoneReading();
+  }
+  DoneWithRequest(FINISHED);
+}
+
+void URLRequestHttpJob::DoneReadingRedirectResponse() {
+  if (transaction_) {
+    if (transaction_->GetResponseInfo()->headers->IsRedirect(NULL)) {
+      // If the original headers indicate a redirect, go ahead and cache the
+      // response, even if the |override_response_headers_| are a redirect to
+      // another location.
+      transaction_->DoneReading();
+    } else {
+      // Otherwise, |override_response_headers_| must be non-NULL and contain
+      // bogus headers indicating a redirect.
+      DCHECK(override_response_headers_);
+      DCHECK(override_response_headers_->IsRedirect(NULL));
+      transaction_->StopCaching();
+    }
+  }
   DoneWithRequest(FINISHED);
 }
 
diff --git a/net/url_request/url_request_http_job.h b/net/url_request/url_request_http_job.h
index 33014e50c6..95b77c94d2 100644
--- a/net/url_request/url_request_http_job.h
+++ b/net/url_request/url_request_http_job.h
@@ -122,6 +122,8 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
       HttpRequestHeaders* headers) const OVERRIDE;
   virtual int64 GetTotalReceivedBytes() const OVERRIDE;
   virtual void DoneReading() OVERRIDE;
+  virtual void DoneReadingRedirectResponse() OVERRIDE;
+
   virtual HostPortPair GetSocketAddress() const OVERRIDE;
   virtual void NotifyURLRequestDestroyed() OVERRIDE;
 
@@ -254,6 +256,9 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
   // layers of the network stack.
   scoped_refptr<HttpResponseHeaders> override_response_headers_;
 
+  // The network delegate can mark a URL as safe for redirection.
+  GURL allowed_unsafe_redirect_url_;
+
   // Flag used to verify that |this| is not deleted while we are awaiting
   // a callback from the NetworkDelegate. Used as a fail-fast mechanism.
   // True if we are waiting a callback and
diff --git a/net/url_request/url_request_job.cc b/net/url_request/url_request_job.cc
index aac992dd4d..35dbbb1d16 100644
--- a/net/url_request/url_request_job.cc
+++ b/net/url_request/url_request_job.cc
@@ -327,6 +327,10 @@ void URLRequestJob::NotifyHeadersComplete() {
   GURL new_location;
   int http_status_code;
   if (IsRedirectResponse(&new_location, &http_status_code)) {
+    // Redirect response bodies are not read. Notify the transaction
+    // so it does not treat being stopped as an error.
+    DoneReadingRedirectResponse();
+
     const GURL& url = request_->url();
 
     // Move the reference fragment of the old location to the new one if the
@@ -340,10 +344,6 @@ void URLRequestJob::NotifyHeadersComplete() {
       new_location = new_location.ReplaceComponents(replacements);
     }
 
-    // Redirect response bodies are not read. Notify the transaction
-    // so it does not treat being stopped as an error.
-    DoneReading();
-
     bool defer_redirect = false;
     request_->NotifyReceivedRedirect(new_location, &defer_redirect);
 
@@ -532,6 +532,9 @@ void URLRequestJob::DoneReading() {
   // Do nothing.
 }
 
+void URLRequestJob::DoneReadingRedirectResponse() {
+}
+
 void URLRequestJob::FilteredDataRead(int bytes_read) {
   DCHECK(filter_.get());  // don't add data if there is no filter
   filter_->FlushStreamBuffer(bytes_read);
diff --git a/net/url_request/url_request_job.h b/net/url_request/url_request_job.h
index 9bb763ef2e..c6f7ba4e4b 100644
--- a/net/url_request/url_request_job.h
+++ b/net/url_request/url_request_job.h
@@ -293,6 +293,11 @@ class NET_EXPORT URLRequestJob
   // the stream.
   virtual void DoneReading();
 
+  // Called to tell the job that the body won't be read because it's a redirect.
+  // This is needed so that redirect headers can be cached even though their
+  // bodies are never read.
+  virtual void DoneReadingRedirectResponse();
+
   // Informs the filter that data has been read into its buffer
   void FilteredDataRead(int bytes_read);
 
diff --git a/net/url_request/url_request_job_unittest.cc b/net/url_request/url_request_job_unittest.cc
index 99f43141d9..c8bbc19038 100644
--- a/net/url_request/url_request_job_unittest.cc
+++ b/net/url_request/url_request_job_unittest.cc
@@ -4,6 +4,7 @@
 
 #include "net/url_request/url_request_job.h"
 
+#include "base/run_loop.h"
 #include "net/base/request_priority.h"
 #include "net/http/http_transaction_unittest.h"
 #include "net/url_request/url_request_test_util.h"
@@ -96,7 +97,7 @@ TEST(URLRequestJob, SyncTransactionNotifiedWhenDone) {
   req.set_method("GET");
   req.Start();
 
-  base::MessageLoop::current()->Run();
+  base::RunLoop().Run();
 
   EXPECT_TRUE(network_layer.done_reading_called());
 
@@ -116,11 +117,34 @@ TEST(URLRequestJob, RedirectTransactionNotifiedWhenDone) {
   req.set_method("GET");
   req.Start();
 
-  base::MessageLoop::current()->Run();
+  base::RunLoop().Run();
 
   EXPECT_TRUE(network_layer.done_reading_called());
 
   RemoveMockTransaction(&kRedirect_Transaction);
 }
 
+TEST(URLRequestJob, TransactionNotCachedWhenNetworkDelegateRedirects) {
+  MockNetworkLayer network_layer;
+  TestNetworkDelegate network_delegate;
+  network_delegate.set_redirect_on_headers_received_url(GURL("http://foo"));
+  TestURLRequestContext context;
+  context.set_http_transaction_factory(&network_layer);
+  context.set_network_delegate(&network_delegate);
+
+  TestDelegate d;
+  TestURLRequest req(GURL(kGZip_Transaction.url), DEFAULT_PRIORITY, &d,
+                     &context);
+  AddMockTransaction(&kGZip_Transaction);
+
+  req.set_method("GET");
+  req.Start();
+
+  base::RunLoop().Run();
+
+  EXPECT_TRUE(network_layer.stop_caching_called());
+
+  RemoveMockTransaction(&kGZip_Transaction);
+}
+
 }  // namespace net
diff --git a/net/url_request/url_request_test_util.cc b/net/url_request/url_request_test_util.cc
index 419816bfa9..17ad31166f 100644
--- a/net/url_request/url_request_test_util.cc
+++ b/net/url_request/url_request_test_util.cc
@@ -13,6 +13,7 @@
 #include "net/cert/cert_verifier.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_network_session.h"
+#include "net/http/http_response_headers.h"
 #include "net/http/http_server_properties_impl.h"
 #include "net/http/transport_security_state.h"
 #include "net/ssl/default_server_bound_cert_store.h"
@@ -410,7 +411,8 @@ int TestNetworkDelegate::OnHeadersReceived(
     URLRequest* request,
     const CompletionCallback& callback,
     const HttpResponseHeaders* original_response_headers,
-    scoped_refptr<HttpResponseHeaders>* override_response_headers) {
+    scoped_refptr<HttpResponseHeaders>* override_response_headers,
+    GURL* allowed_unsafe_redirect_url) {
   int req_id = request->identifier();
   event_order_[req_id] += "OnHeadersReceived\n";
   InitRequestStatesIfNew(req_id);
@@ -426,6 +428,20 @@ int TestNetworkDelegate::OnHeadersReceived(
   // layer before the URLRequest reports that a response has started.
   next_states_[req_id] |= kStageBeforeSendHeaders;
 
+  if (!redirect_on_headers_received_url_.is_empty()) {
+    *override_response_headers =
+        new net::HttpResponseHeaders(original_response_headers->raw_headers());
+    (*override_response_headers)->ReplaceStatusLine("HTTP/1.1 302 Found");
+    (*override_response_headers)->RemoveHeader("Location");
+    (*override_response_headers)->AddHeader(
+        "Location: " + redirect_on_headers_received_url_.spec());
+
+    redirect_on_headers_received_url_ = GURL();
+
+    if (!allowed_unsafe_redirect_url_.is_empty())
+      *allowed_unsafe_redirect_url = allowed_unsafe_redirect_url_;
+  }
+
   return OK;
 }
 
diff --git a/net/url_request/url_request_test_util.h b/net/url_request/url_request_test_util.h
index 0d35876157..0b2f48cdbe 100644
--- a/net/url_request/url_request_test_util.h
+++ b/net/url_request/url_request_test_util.h
@@ -234,6 +234,17 @@ class TestNetworkDelegate : public NetworkDelegate {
   bool GetLoadTimingInfoBeforeAuth(
       LoadTimingInfo* load_timing_info_before_auth) const;
 
+  // Will redirect once to the given URL when the next set of headers are
+  // received.
+  void set_redirect_on_headers_received_url(
+      GURL redirect_on_headers_received_url) {
+    redirect_on_headers_received_url_ = redirect_on_headers_received_url;
+  }
+
+  void set_allowed_unsafe_redirect_url(GURL allowed_unsafe_redirect_url) {
+    allowed_unsafe_redirect_url_ = allowed_unsafe_redirect_url;
+  }
+
   void set_cookie_options(int o) {cookie_options_bit_mask_ = o; }
 
   int last_error() const { return last_error_; }
@@ -266,7 +277,8 @@ class TestNetworkDelegate : public NetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers) OVERRIDE;
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE;
   virtual void OnBeforeRedirect(URLRequest* request,
                                 const GURL& new_location) OVERRIDE;
   virtual void OnResponseStarted(URLRequest* request) OVERRIDE;
@@ -296,6 +308,10 @@ class TestNetworkDelegate : public NetworkDelegate {
 
   void InitRequestStatesIfNew(int request_id);
 
+  GURL redirect_on_headers_received_url_;
+  // URL marked as safe for redirection at the onHeadersReceived stage.
+  GURL allowed_unsafe_redirect_url_;
+
   int last_error_;
   int error_count_;
   int created_requests_;
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index b85da781e1..aab2b32479 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -57,6 +57,7 @@
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_response_headers.h"
+#include "net/http/http_util.h"
 #include "net/ocsp/nss_ocsp.h"
 #include "net/proxy/proxy_service.h"
 #include "net/socket/ssl_client_socket.h"
@@ -367,7 +368,8 @@ class BlockingNetworkDelegate : public TestNetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers) OVERRIDE;
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE;
 
   virtual NetworkDelegate::AuthRequiredResponse OnAuthRequired(
       URLRequest* request,
@@ -390,7 +392,7 @@ class BlockingNetworkDelegate : public TestNetworkDelegate {
   int retval_;  // To be returned in non-auth stages.
   AuthRequiredResponse auth_retval_;
 
-  GURL redirect_url_;  // Used if non-empty.
+  GURL redirect_url_;  // Used if non-empty during OnBeforeURLRequest.
   int block_on_;  // Bit mask: in which stages to block.
 
   // |auth_credentials_| will be copied to |*target_auth_credential_| on
@@ -482,10 +484,13 @@ int BlockingNetworkDelegate::OnHeadersReceived(
     URLRequest* request,
     const CompletionCallback& callback,
     const HttpResponseHeaders* original_response_headers,
-    scoped_refptr<HttpResponseHeaders>* override_response_headers) {
-  TestNetworkDelegate::OnHeadersReceived(
-      request, callback, original_response_headers,
-      override_response_headers);
+    scoped_refptr<HttpResponseHeaders>* override_response_headers,
+    GURL* allowed_unsafe_redirect_url) {
+  TestNetworkDelegate::OnHeadersReceived(request,
+                                         callback,
+                                         original_response_headers,
+                                         override_response_headers,
+                                         allowed_unsafe_redirect_url);
 
   return MaybeBlockStage(ON_HEADERS_RECEIVED, callback);
 }
@@ -2416,8 +2421,8 @@ class FixedDateNetworkDelegate : public TestNetworkDelegate {
       net::URLRequest* request,
       const net::CompletionCallback& callback,
       const net::HttpResponseHeaders* original_response_headers,
-      scoped_refptr<net::HttpResponseHeaders>* override_response_headers)
-      OVERRIDE;
+      scoped_refptr<net::HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE;
 
  private:
   std::string fixed_date_;
@@ -2429,7 +2434,8 @@ int FixedDateNetworkDelegate::OnHeadersReceived(
     net::URLRequest* request,
     const net::CompletionCallback& callback,
     const net::HttpResponseHeaders* original_response_headers,
-    scoped_refptr<net::HttpResponseHeaders>* override_response_headers) {
+    scoped_refptr<net::HttpResponseHeaders>* override_response_headers,
+    GURL* allowed_unsafe_redirect_url) {
   net::HttpResponseHeaders* new_response_headers =
       new net::HttpResponseHeaders(original_response_headers->raw_headers());
 
@@ -2440,7 +2446,8 @@ int FixedDateNetworkDelegate::OnHeadersReceived(
   return TestNetworkDelegate::OnHeadersReceived(request,
                                                 callback,
                                                 original_response_headers,
-                                                override_response_headers);
+                                                override_response_headers,
+                                                allowed_unsafe_redirect_url);
 }
 
 // Test that cookie expiration times are adjusted for server/client clock
@@ -3007,6 +3014,39 @@ TEST_F(URLRequestTestHTTP, NetworkDelegateRedirectRequestPost) {
   EXPECT_EQ(1, network_delegate.destroyed_requests());
 }
 
+// Tests that the network delegate can block and redirect a request to a new
+// URL during OnHeadersReceived.
+TEST_F(URLRequestTestHTTP, NetworkDelegateRedirectRequestOnHeadersReceived) {
+  ASSERT_TRUE(test_server_.Start());
+
+  TestDelegate d;
+  BlockingNetworkDelegate network_delegate(
+      BlockingNetworkDelegate::AUTO_CALLBACK);
+  network_delegate.set_block_on(BlockingNetworkDelegate::ON_HEADERS_RECEIVED);
+  GURL redirect_url(test_server_.GetURL("simple.html"));
+  network_delegate.set_redirect_on_headers_received_url(redirect_url);
+
+  TestURLRequestContextWithProxy context(
+      test_server_.host_port_pair().ToString(), &network_delegate);
+
+  {
+    GURL original_url(test_server_.GetURL("empty.html"));
+    URLRequest r(original_url, DEFAULT_PRIORITY, &d, &context);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r.status().status());
+    EXPECT_EQ(net::OK, r.status().error());
+    EXPECT_EQ(redirect_url, r.url());
+    EXPECT_EQ(original_url, r.original_url());
+    EXPECT_EQ(2U, r.url_chain().size());
+    EXPECT_EQ(2, network_delegate.created_requests());
+    EXPECT_EQ(0, network_delegate.destroyed_requests());
+  }
+  EXPECT_EQ(1, network_delegate.destroyed_requests());
+}
+
 // Tests that the network delegate can synchronously complete OnAuthRequired
 // by taking no action. This indicates that the NetworkDelegate does not want to
 // handle the challenge, and is passing the buck along to the
@@ -3919,10 +3959,13 @@ class AsyncLoggingNetworkDelegate : public TestNetworkDelegate {
       URLRequest* request,
       const CompletionCallback& callback,
       const HttpResponseHeaders* original_response_headers,
-      scoped_refptr<HttpResponseHeaders>* override_response_headers) OVERRIDE {
-    TestNetworkDelegate::OnHeadersReceived(request, callback,
+      scoped_refptr<HttpResponseHeaders>* override_response_headers,
+      GURL* allowed_unsafe_redirect_url) OVERRIDE {
+    TestNetworkDelegate::OnHeadersReceived(request,
+                                           callback,
                                            original_response_headers,
-                                           override_response_headers);
+                                           override_response_headers,
+                                           allowed_unsafe_redirect_url);
     return RunCallbackAsynchronously(request, callback);
   }
 
@@ -5163,6 +5206,213 @@ TEST_F(URLRequestTestHTTP, RedirectToInvalidURL) {
   EXPECT_EQ(ERR_INVALID_URL, req.status().error());
 }
 
+// Make sure redirects are cached, despite not reading their bodies.
+TEST_F(URLRequestTestHTTP, CacheRedirect) {
+  ASSERT_TRUE(test_server_.Start());
+  GURL redirect_url =
+      test_server_.GetURL("files/redirect302-to-echo-cacheable");
+
+  {
+    TestDelegate d;
+    URLRequest req(redirect_url, DEFAULT_PRIORITY, &d, &default_context_);
+    req.Start();
+    base::RunLoop().Run();
+    EXPECT_EQ(URLRequestStatus::SUCCESS, req.status().status());
+    EXPECT_EQ(1, d.received_redirect_count());
+    EXPECT_EQ(test_server_.GetURL("echo"), req.url());
+  }
+
+  {
+    TestDelegate d;
+    d.set_quit_on_redirect(true);
+    URLRequest req(redirect_url, DEFAULT_PRIORITY, &d, &default_context_);
+    req.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(1, d.received_redirect_count());
+    EXPECT_EQ(0, d.response_started_count());
+    EXPECT_TRUE(req.was_cached());
+
+    req.FollowDeferredRedirect();
+    base::RunLoop().Run();
+    EXPECT_EQ(1, d.received_redirect_count());
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_EQ(URLRequestStatus::SUCCESS, req.status().status());
+    EXPECT_EQ(test_server_.GetURL("echo"), req.url());
+  }
+}
+
+// Make sure a request isn't cached when a NetworkDelegate forces a redirect
+// when the headers are read, since the body won't have been read.
+TEST_F(URLRequestTestHTTP, NoCacheOnNetworkDelegateRedirect) {
+  ASSERT_TRUE(test_server_.Start());
+  // URL that is normally cached.
+  GURL initial_url = test_server_.GetURL("cachetime");
+
+  {
+    // Set up the TestNetworkDelegate tp force a redirect.
+    GURL redirect_to_url = test_server_.GetURL("echo");
+    default_network_delegate_.set_redirect_on_headers_received_url(
+        redirect_to_url);
+
+    TestDelegate d;
+    URLRequest req(initial_url, DEFAULT_PRIORITY, &d, &default_context_);
+    req.Start();
+    base::RunLoop().Run();
+    EXPECT_EQ(URLRequestStatus::SUCCESS, req.status().status());
+    EXPECT_EQ(1, d.received_redirect_count());
+    EXPECT_EQ(redirect_to_url, req.url());
+  }
+
+  {
+    TestDelegate d;
+    URLRequest req(initial_url, DEFAULT_PRIORITY, &d, &default_context_);
+    req.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(URLRequestStatus::SUCCESS, req.status().status());
+    EXPECT_FALSE(req.was_cached());
+    EXPECT_EQ(0, d.received_redirect_count());
+    EXPECT_EQ(initial_url, req.url());
+  }
+}
+
+// Tests that redirection to an unsafe URL is allowed when it has been marked as
+// safe.
+TEST_F(URLRequestTestHTTP, UnsafeRedirectToWhitelistedUnsafeURL) {
+  ASSERT_TRUE(test_server_.Start());
+
+  GURL unsafe_url("data:text/html,this-is-considered-an-unsafe-url");
+  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
+  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
+
+  TestDelegate d;
+  {
+    URLRequest r(test_server_.GetURL("whatever"),
+                 DEFAULT_PRIORITY,
+                 &d,
+                 &default_context_);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r.status().status());
+
+    EXPECT_EQ(2U, r.url_chain().size());
+    EXPECT_EQ(net::OK, r.status().error());
+    EXPECT_EQ(unsafe_url, r.url());
+    EXPECT_EQ("this-is-considered-an-unsafe-url", d.data_received());
+  }
+}
+
+// Tests that a redirect to a different unsafe URL is blocked, even after adding
+// some other URL to the whitelist.
+TEST_F(URLRequestTestHTTP, UnsafeRedirectToDifferentUnsafeURL) {
+  ASSERT_TRUE(test_server_.Start());
+
+  GURL unsafe_url("data:text/html,something");
+  GURL different_unsafe_url("data:text/html,something-else");
+  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
+  default_network_delegate_.set_allowed_unsafe_redirect_url(
+      different_unsafe_url);
+
+  TestDelegate d;
+  {
+    URLRequest r(test_server_.GetURL("whatever"),
+                 DEFAULT_PRIORITY,
+                 &d,
+                 &default_context_);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(URLRequestStatus::FAILED, r.status().status());
+    EXPECT_EQ(ERR_UNSAFE_REDIRECT, r.status().error());
+  }
+}
+
+// Redirects from an URL with fragment to an unsafe URL without fragment should
+// be allowed.
+TEST_F(URLRequestTestHTTP, UnsafeRedirectWithReferenceFragment) {
+  ASSERT_TRUE(test_server_.Start());
+
+  GURL original_url(test_server_.GetURL("original#fragment"));
+  GURL unsafe_url("data:,url-marked-safe-and-used-in-redirect");
+  GURL expected_url("data:,url-marked-safe-and-used-in-redirect#fragment");
+
+  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
+  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
+
+  TestDelegate d;
+  {
+    URLRequest r(original_url, DEFAULT_PRIORITY, &d, &default_context_);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(2U, r.url_chain().size());
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r.status().status());
+    EXPECT_EQ(net::OK, r.status().error());
+    EXPECT_EQ(original_url, r.original_url());
+    EXPECT_EQ(expected_url, r.url());
+  }
+}
+
+// Redirects from an URL with fragment to an unsafe URL with fragment should
+// be allowed, and the reference fragment of the target URL should be preserved.
+TEST_F(URLRequestTestHTTP, UnsafeRedirectWithDifferentReferenceFragment) {
+  ASSERT_TRUE(test_server_.Start());
+
+  GURL original_url(test_server_.GetURL("original#fragment1"));
+  GURL unsafe_url("data:,url-marked-safe-and-used-in-redirect#fragment2");
+  GURL expected_url("data:,url-marked-safe-and-used-in-redirect#fragment2");
+
+  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
+  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
+
+  TestDelegate d;
+  {
+    URLRequest r(original_url, DEFAULT_PRIORITY, &d, &default_context_);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(2U, r.url_chain().size());
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r.status().status());
+    EXPECT_EQ(net::OK, r.status().error());
+    EXPECT_EQ(original_url, r.original_url());
+    EXPECT_EQ(expected_url, r.url());
+  }
+}
+
+// When a delegate has specified a safe redirect URL, but it does not match the
+// redirect target, then do not prevent the reference fragment from being added.
+TEST_F(URLRequestTestHTTP, RedirectWithReferenceFragment) {
+  ASSERT_TRUE(test_server_.Start());
+
+  GURL original_url(test_server_.GetURL("original#expected-fragment"));
+  GURL unsafe_url("data:text/html,this-url-does-not-match-redirect-url");
+  GURL redirect_url(test_server_.GetURL("target"));
+  GURL expected_redirect_url(test_server_.GetURL("target#expected-fragment"));
+
+  default_network_delegate_.set_redirect_on_headers_received_url(redirect_url);
+  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
+
+  TestDelegate d;
+  {
+    URLRequest r(original_url, DEFAULT_PRIORITY, &d, &default_context_);
+
+    r.Start();
+    base::RunLoop().Run();
+
+    EXPECT_EQ(2U, r.url_chain().size());
+    EXPECT_EQ(URLRequestStatus::SUCCESS, r.status().status());
+    EXPECT_EQ(net::OK, r.status().error());
+    EXPECT_EQ(original_url, r.original_url());
+    EXPECT_EQ(expected_redirect_url, r.url());
+  }
+}
+
 TEST_F(URLRequestTestHTTP, NoUserPassInReferrer) {
   ASSERT_TRUE(test_server_.Start());
 
@@ -6204,12 +6454,11 @@ TEST_F(HTTPSRequestTest, HTTPSExpiredTest) {
 // Tests TLSv1.1 -> TLSv1 fallback. Verifies that we don't fall back more
 // than necessary.
 TEST_F(HTTPSRequestTest, TLSv1Fallback) {
-  uint16 default_version_max = SSLConfigService::default_version_max();
   // The OpenSSL library in use may not support TLS 1.1.
 #if !defined(USE_OPENSSL)
-  EXPECT_GT(default_version_max, SSL_PROTOCOL_VERSION_TLS1);
+  EXPECT_GT(kDefaultSSLVersionMax, SSL_PROTOCOL_VERSION_TLS1);
 #endif
-  if (default_version_max <= SSL_PROTOCOL_VERSION_TLS1)
+  if (kDefaultSSLVersionMax <= SSL_PROTOCOL_VERSION_TLS1)
     return;
 
   SpawnedTestServer::SSLOptions ssl_options(
@@ -6944,12 +7193,12 @@ static bool SystemSupportsHardFailRevocationChecking() {
 // several tests are effected because our testing EV certificate won't be
 // recognised as EV.
 static bool SystemUsesChromiumEVMetadata() {
-#if defined(USE_OPENSSL)
+#if defined(USE_OPENSSL_CERTS) && !defined(OS_ANDROID)
   // http://crbug.com/117478 - OpenSSL does not support EV validation.
   return false;
-#elif defined(OS_MACOSX) && !defined(OS_IOS)
-  // On OS X, we use the system to tell us whether a certificate is EV or not
-  // and the system won't recognise our testing root.
+#elif (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID)
+  // On OS X and Android, we use the system to tell us whether a certificate is
+  // EV or not and the system won't recognise our testing root.
   return false;
 #else
   return true;
diff --git a/net/websockets/websocket_channel.cc b/net/websockets/websocket_channel.cc
index ed8a92b0df..25df3a4b7f 100644
--- a/net/websockets/websocket_channel.cc
+++ b/net/websockets/websocket_channel.cc
@@ -4,12 +4,16 @@
 
 #include "net/websockets/websocket_channel.h"
 
+#include <limits.h>  // for INT_MAX
+
 #include <algorithm>
+#include <deque>
 
 #include "base/basictypes.h"  // for size_t
 #include "base/big_endian.h"
 #include "base/bind.h"
 #include "base/compiler_specific.h"
+#include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "base/message_loop/message_loop.h"
 #include "base/numerics/safe_conversions.h"
@@ -167,8 +171,7 @@ class WebSocketChannel::ConnectDelegate
   }
 
   virtual void OnFinishOpeningHandshake(
-      scoped_ptr<WebSocketHandshakeResponseInfo> response)
-      OVERRIDE {
+      scoped_ptr<WebSocketHandshakeResponseInfo> response) OVERRIDE {
     creator_->OnFinishOpeningHandshake(response.Pass());
   }
 
@@ -217,7 +220,8 @@ class WebSocketChannel::HandshakeNotificationSender
 };
 
 WebSocketChannel::HandshakeNotificationSender::HandshakeNotificationSender(
-    WebSocketChannel* channel) : owner_(channel) {}
+    WebSocketChannel* channel)
+    : owner_(channel) {}
 
 WebSocketChannel::HandshakeNotificationSender::~HandshakeNotificationSender() {}
 
@@ -235,13 +239,13 @@ ChannelState WebSocketChannel::HandshakeNotificationSender::SendImmediately(
 
   if (handshake_request_info_.get()) {
     if (CHANNEL_DELETED == event_interface->OnStartOpeningHandshake(
-            handshake_request_info_.Pass()))
+                               handshake_request_info_.Pass()))
       return CHANNEL_DELETED;
   }
 
   if (handshake_response_info_.get()) {
     if (CHANNEL_DELETED == event_interface->OnFinishOpeningHandshake(
-            handshake_response_info_.Pass()))
+                               handshake_response_info_.Pass()))
       return CHANNEL_DELETED;
 
     // TODO(yhirano): We can release |this| to save memory because
@@ -251,6 +255,31 @@ ChannelState WebSocketChannel::HandshakeNotificationSender::SendImmediately(
   return CHANNEL_ALIVE;
 }
 
+WebSocketChannel::PendingReceivedFrame::PendingReceivedFrame(
+    bool final,
+    WebSocketFrameHeader::OpCode opcode,
+    const scoped_refptr<IOBuffer>& data,
+    size_t offset,
+    size_t size)
+    : final_(final),
+      opcode_(opcode),
+      data_(data),
+      offset_(offset),
+      size_(size) {}
+
+WebSocketChannel::PendingReceivedFrame::~PendingReceivedFrame() {}
+
+void WebSocketChannel::PendingReceivedFrame::ResetOpcode() {
+  DCHECK(WebSocketFrameHeader::IsKnownDataOpCode(opcode_));
+  opcode_ = WebSocketFrameHeader::kOpCodeContinuation;
+}
+
+void WebSocketChannel::PendingReceivedFrame::DidConsume(size_t bytes) {
+  DCHECK_LE(offset_, size_);
+  DCHECK_LE(bytes, size_ - offset_);
+  offset_ += bytes;
+}
+
 WebSocketChannel::WebSocketChannel(
     scoped_ptr<WebSocketEventInterface> event_interface,
     URLRequestContext* url_request_context)
@@ -259,6 +288,7 @@ WebSocketChannel::WebSocketChannel(
       send_quota_low_water_mark_(kDefaultSendQuotaLowWaterMark),
       send_quota_high_water_mark_(kDefaultSendQuotaHighWaterMark),
       current_send_quota_(0),
+      current_receive_quota_(0),
       timeout_(base::TimeDelta::FromSeconds(kClosingHandshakeTimeoutSeconds)),
       received_close_code_(0),
       state_(FRESHLY_CONSTRUCTED),
@@ -357,15 +387,54 @@ void WebSocketChannel::SendFrame(bool fin,
   // server is not saturated.
   scoped_refptr<IOBuffer> buffer(new IOBuffer(data.size()));
   std::copy(data.begin(), data.end(), buffer->data());
-  AllowUnused(SendIOBuffer(fin, op_code, buffer, data.size()));
+  AllowUnused(SendFrameFromIOBuffer(fin, op_code, buffer, data.size()));
   // |this| may have been deleted.
 }
 
 void WebSocketChannel::SendFlowControl(int64 quota) {
   DCHECK(state_ == CONNECTING || state_ == CONNECTED || state_ == SEND_CLOSED ||
          state_ == CLOSE_WAIT);
-  // TODO(ricea): Add interface to WebSocketStream and implement.
-  // stream_->SendFlowControl(quota);
+  // TODO(ricea): Kill the renderer if it tries to send us a negative quota
+  // value or > INT_MAX.
+  DCHECK_GE(quota, 0);
+  DCHECK_LE(quota, INT_MAX);
+  if (!pending_received_frames_.empty()) {
+    DCHECK_EQ(0, current_receive_quota_);
+  }
+  while (!pending_received_frames_.empty() && quota > 0) {
+    PendingReceivedFrame& front = pending_received_frames_.front();
+    const size_t data_size = front.size() - front.offset();
+    const size_t bytes_to_send =
+        std::min(base::checked_cast<size_t>(quota), data_size);
+    const bool final = front.final() && data_size == bytes_to_send;
+    const char* data = front.data()->data() + front.offset();
+    const std::vector<char> data_vector(data, data + bytes_to_send);
+    DVLOG(3) << "Sending frame previously split due to quota to the "
+             << "renderer: quota=" << quota << " data_size=" << data_size
+             << " bytes_to_send=" << bytes_to_send;
+    if (event_interface_->OnDataFrame(final, front.opcode(), data_vector) ==
+        CHANNEL_DELETED)
+      return;
+    if (bytes_to_send < data_size) {
+      front.DidConsume(bytes_to_send);
+      front.ResetOpcode();
+      return;
+    }
+    const int64 signed_bytes_to_send = base::checked_cast<int64>(bytes_to_send);
+    DCHECK_GE(quota, signed_bytes_to_send);
+    quota -= signed_bytes_to_send;
+
+    pending_received_frames_.pop();
+  }
+  // If current_receive_quota_ == 0 then there is no pending ReadFrames()
+  // operation.
+  const bool start_read =
+      current_receive_quota_ == 0 && quota > 0 &&
+      (state_ == CONNECTED || state_ == SEND_CLOSED || state_ == CLOSE_WAIT);
+  current_receive_quota_ += base::checked_cast<int>(quota);
+  if (start_read)
+    AllowUnused(ReadFrames());
+  // |this| may have been deleted.
 }
 
 void WebSocketChannel::StartClosingHandshake(uint16 code,
@@ -465,6 +534,7 @@ void WebSocketChannel::OnConnectSuccess(scoped_ptr<WebSocketStream> stream) {
 
   // |stream_request_| is not used once the connection has succeeded.
   stream_request_.reset();
+
   AllowUnused(ReadFrames());
   // |this| may have been deleted.
 }
@@ -574,7 +644,7 @@ ChannelState WebSocketChannel::OnWriteDone(bool synchronous, int result) {
 
 ChannelState WebSocketChannel::ReadFrames() {
   int result = OK;
-  do {
+  while (result == OK && current_receive_quota_ > 0) {
     // This use of base::Unretained is safe because this object owns the
     // WebSocketStream, and any pending reads will be cancelled when it is
     // destroyed.
@@ -588,7 +658,7 @@ ChannelState WebSocketChannel::ReadFrames() {
         return CHANNEL_DELETED;
     }
     DCHECK_NE(CLOSED, state_);
-  } while (result == OK);
+  }
   return CHANNEL_ALIVE;
 }
 
@@ -642,8 +712,7 @@ ChannelState WebSocketChannel::OnReadDone(bool synchronous, int result) {
   }
 }
 
-ChannelState WebSocketChannel::HandleFrame(
-    scoped_ptr<WebSocketFrame> frame) {
+ChannelState WebSocketChannel::HandleFrame(scoped_ptr<WebSocketFrame> frame) {
   if (frame->header.masked) {
     // RFC6455 Section 5.1 "A client MUST close a connection if it detects a
     // masked frame."
@@ -691,7 +760,7 @@ ChannelState WebSocketChannel::HandleFrameByState(
         frame_name + " received after close", kWebSocketErrorProtocolError, "");
   }
   switch (opcode) {
-    case WebSocketFrameHeader::kOpCodeText:    // fall-thru
+    case WebSocketFrameHeader::kOpCodeText:  // fall-thru
     case WebSocketFrameHeader::kOpCodeBinary:
     case WebSocketFrameHeader::kOpCodeContinuation:
       return HandleDataFrame(opcode, final, data_buffer, size);
@@ -699,7 +768,7 @@ ChannelState WebSocketChannel::HandleFrameByState(
     case WebSocketFrameHeader::kOpCodePing:
       VLOG(1) << "Got Ping of size " << size;
       if (state_ == CONNECTED)
-        return SendIOBuffer(
+        return SendFrameFromIOBuffer(
             true, WebSocketFrameHeader::kOpCodePong, data_buffer, size);
       VLOG(3) << "Ignored ping in state " << state_;
       return CHANNEL_ALIVE;
@@ -710,6 +779,10 @@ ChannelState WebSocketChannel::HandleFrameByState(
       return CHANNEL_ALIVE;
 
     case WebSocketFrameHeader::kOpCodeClose: {
+      // TODO(ricea): If there is a message which is queued for transmission to
+      // the renderer, then the renderer should not receive an
+      // OnClosingHandshake or OnDropChannel IPC until the queued message has
+      // been completedly transmitted.
       uint16 code = kWebSocketNormalClosure;
       std::string reason;
       std::string message;
@@ -807,20 +880,34 @@ ChannelState WebSocketChannel::HandleDataFrame(
     return CHANNEL_ALIVE;
 
   initial_frame_forwarded_ = !final;
+  if (size > base::checked_cast<size_t>(current_receive_quota_) ||
+      !pending_received_frames_.empty()) {
+    const bool no_quota = (current_receive_quota_ == 0);
+    DCHECK(no_quota || pending_received_frames_.empty());
+    DVLOG(3) << "Queueing frame to renderer due to quota. quota="
+             << current_receive_quota_ << " size=" << size;
+    WebSocketFrameHeader::OpCode opcode_to_queue =
+        no_quota ? opcode_to_send : WebSocketFrameHeader::kOpCodeContinuation;
+    pending_received_frames_.push(PendingReceivedFrame(
+        final, opcode_to_queue, data_buffer, current_receive_quota_, size));
+    if (no_quota)
+      return CHANNEL_ALIVE;
+    size = current_receive_quota_;
+    final = false;
+  }
+
   // TODO(ricea): Can this copy be eliminated?
   const char* const data_begin = size ? data_buffer->data() : NULL;
   const char* const data_end = data_begin + size;
   const std::vector<char> data(data_begin, data_end);
-  // TODO(ricea): Handle the case when ReadFrames returns far
-  // more data at once than should be sent in a single IPC. This needs to
-  // be handled carefully, as an overloaded IO thread is one possible
-  // cause of receiving very large chunks.
+  current_receive_quota_ -= size;
+  DCHECK_GE(current_receive_quota_, 0);
 
   // Sends the received frame to the renderer process.
   return event_interface_->OnDataFrame(final, opcode_to_send, data);
 }
 
-ChannelState WebSocketChannel::SendIOBuffer(
+ChannelState WebSocketChannel::SendFrameFromIOBuffer(
     bool fin,
     WebSocketFrameHeader::OpCode op_code,
     const scoped_refptr<IOBuffer>& buffer,
@@ -898,7 +985,8 @@ ChannelState WebSocketChannel::SendClose(uint16 code,
       FROM_HERE,
       timeout_,
       base::Bind(&WebSocketChannel::CloseTimeout, base::Unretained(this)));
-  if (SendIOBuffer(true, WebSocketFrameHeader::kOpCodeClose, body, size) ==
+  if (SendFrameFromIOBuffer(
+          true, WebSocketFrameHeader::kOpCodeClose, body, size) ==
       CHANNEL_DELETED)
     return CHANNEL_DELETED;
   return CHANNEL_ALIVE;
diff --git a/net/websockets/websocket_channel.h b/net/websockets/websocket_channel.h
index 183f2bed0c..80c4290976 100644
--- a/net/websockets/websocket_channel.h
+++ b/net/websockets/websocket_channel.h
@@ -5,6 +5,7 @@
 #ifndef NET_WEBSOCKETS_WEBSOCKET_CHANNEL_H_
 #define NET_WEBSOCKETS_WEBSOCKET_CHANNEL_H_
 
+#include <queue>
 #include <string>
 #include <vector>
 
@@ -12,6 +13,7 @@
 #include "base/callback.h"
 #include "base/compiler_specific.h"  // for WARN_UNUSED_RESULT
 #include "base/i18n/streaming_utf8_validator.h"
+#include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/scoped_vector.h"
 #include "base/time/time.h"
@@ -121,6 +123,42 @@ class NET_EXPORT WebSocketChannel {
  private:
   class HandshakeNotificationSender;
 
+  // The Windows implementation of std::queue requires that this declaration be
+  // visible in the header.
+  class PendingReceivedFrame {
+   public:
+    PendingReceivedFrame(bool final,
+                         WebSocketFrameHeader::OpCode opcode,
+                         const scoped_refptr<IOBuffer>& data,
+                         size_t offset,
+                         size_t size);
+    ~PendingReceivedFrame();
+
+    bool final() const { return final_; }
+    WebSocketFrameHeader::OpCode opcode() const { return opcode_; }
+    // ResetOpcode() to Continuation.
+    void ResetOpcode();
+    const scoped_refptr<IOBuffer>& data() const { return data_; }
+    size_t offset() const { return offset_; }
+    size_t size() const { return size_; }
+    // Increase |offset_| by |bytes|.
+    void DidConsume(size_t bytes);
+
+    // This object needs to be copyable and assignable, since it will be placed
+    // in a std::queue. The compiler-generated copy constructor and assignment
+    // operator will do the right thing.
+
+   private:
+    bool final_;
+    WebSocketFrameHeader::OpCode opcode_;
+    scoped_refptr<IOBuffer> data_;
+    // Where to start reading from data_. Everything prior to offset_ has
+    // already been sent to the browser.
+    size_t offset_;
+    // The size of data_.
+    size_t size_;
+  };
+
   // Methods which return a value of type ChannelState may delete |this|. If the
   // return value is CHANNEL_DELETED, then the caller must return without making
   // any further access to member variables or methods.
@@ -183,7 +221,8 @@ class NET_EXPORT WebSocketChannel {
   // WriteFrames() itself.
   ChannelState OnWriteDone(bool synchronous, int result) WARN_UNUSED_RESULT;
 
-  // Calls WebSocketStream::ReadFrames() with the appropriate arguments.
+  // Calls WebSocketStream::ReadFrames() with the appropriate arguments. Stops
+  // calling ReadFrames if current_receive_quota_ is 0.
   ChannelState ReadFrames() WARN_UNUSED_RESULT;
 
   // Callback from WebSocketStream::ReadFrames. Handles any errors and processes
@@ -223,10 +262,10 @@ class NET_EXPORT WebSocketChannel {
   // when the current write finishes. |fin| and |op_code| are defined as for
   // SendFrame() above, except that |op_code| may also be a control frame
   // opcode.
-  ChannelState SendIOBuffer(bool fin,
-                            WebSocketFrameHeader::OpCode op_code,
-                            const scoped_refptr<IOBuffer>& buffer,
-                            size_t size) WARN_UNUSED_RESULT;
+  ChannelState SendFrameFromIOBuffer(bool fin,
+                                     WebSocketFrameHeader::OpCode op_code,
+                                     const scoped_refptr<IOBuffer>& buffer,
+                                     size_t size) WARN_UNUSED_RESULT;
 
   // Performs the "Fail the WebSocket Connection" operation as defined in
   // RFC6455. A NotifyFailure message is sent to the renderer with |message|.
@@ -297,6 +336,10 @@ class NET_EXPORT WebSocketChannel {
   // Destination for the current call to WebSocketStream::ReadFrames
   ScopedVector<WebSocketFrame> read_frames_;
 
+  // Frames that have been read but not yet forwarded to the renderer due to
+  // lack of quota.
+  std::queue<PendingReceivedFrame> pending_received_frames_;
+
   // Handle to an in-progress WebSocketStream creation request. Only non-NULL
   // during the connection process.
   scoped_ptr<WebSocketStreamRequest> stream_request_;
@@ -311,6 +354,9 @@ class NET_EXPORT WebSocketChannel {
   // The current amount of quota that the renderer has available for sending
   // on this logical channel (quota units).
   int current_send_quota_;
+  // The remaining amount of quota that the renderer will allow us to send on
+  // this logical channel (quota units).
+  int current_receive_quota_;
 
   // Timer for the closing handshake.
   base::OneShotTimer<WebSocketChannel> timer_;
diff --git a/net/websockets/websocket_channel_test.cc b/net/websockets/websocket_channel_test.cc
index 8d8686dac5..82078cbbf9 100644
--- a/net/websockets/websocket_channel_test.cc
+++ b/net/websockets/websocket_channel_test.cc
@@ -4,6 +4,7 @@
 
 #include "net/websockets/websocket_channel.h"
 
+#include <limits.h>
 #include <string.h>
 
 #include <iostream>
@@ -129,13 +130,16 @@ const size_t kDefaultQuotaRefreshTrigger = (1 << 16) + 1;
 // in that time! I would like my tests to run a bit quicker.
 const int kVeryTinyTimeoutMillis = 1;
 
+// Enough quota to pass any test.
+const int64 kPlentyOfQuota = INT_MAX;
+
 typedef WebSocketEventInterface::ChannelState ChannelState;
 const ChannelState CHANNEL_ALIVE = WebSocketEventInterface::CHANNEL_ALIVE;
 const ChannelState CHANNEL_DELETED = WebSocketEventInterface::CHANNEL_DELETED;
 
 // This typedef mainly exists to avoid having to repeat the "NOLINT" incantation
 // all over the place.
-typedef MockFunction<void(int)> Checkpoint;  // NOLINT
+typedef StrictMock< MockFunction<void(int)> > Checkpoint;  // NOLINT
 
 // This mock is for testing expectations about how the EventInterface is used.
 class MockWebSocketEventInterface : public WebSocketEventInterface {
@@ -731,6 +735,9 @@ class WebSocketChannelTest : public ::testing::Test {
   // well. This method is virtual so that subclasses can also set the stream.
   virtual void CreateChannelAndConnectSuccessfully() {
     CreateChannelAndConnect();
+    // Most tests aren't concerned with flow control from the renderer, so allow
+    // MAX_INT quota units.
+    channel_->SendFlowControl(kPlentyOfQuota);
     connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
   }
 
@@ -944,6 +951,21 @@ class WebSocketChannelSendUtf8Test
   }
 };
 
+// Fixture for tests which test use of receive quota from the renderer.
+class WebSocketChannelFlowControlTest
+    : public WebSocketChannelEventInterfaceTest {
+ protected:
+  // Tests using this fixture should use CreateChannelAndConnectWithQuota()
+  // instead of CreateChannelAndConnectSuccessfully().
+  void CreateChannelAndConnectWithQuota(int64 quota) {
+    CreateChannelAndConnect();
+    channel_->SendFlowControl(quota);
+    connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+  }
+
+  virtual void CreateChannelAndConnectSuccesfully() { NOTREACHED(); }
+};
+
 // Fixture for tests which test UTF-8 validation of received Text frames using a
 // mock WebSocketStream.
 class WebSocketChannelReceiveUtf8Test : public WebSocketChannelStreamTest {
@@ -2141,6 +2163,280 @@ TEST_F(WebSocketChannelEventInterfaceTest,
   completion.WaitForResult();
 }
 
+// The renderer should provide us with some quota immediately, and then
+// WebSocketChannel calls ReadFrames as soon as the stream is available.
+TEST_F(WebSocketChannelStreamTest, FlowControlEarly) {
+  Checkpoint checkpoint;
+  EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
+  {
+    InSequence s;
+    EXPECT_CALL(checkpoint, Call(1));
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(Return(ERR_IO_PENDING));
+    EXPECT_CALL(checkpoint, Call(2));
+  }
+
+  set_stream(mock_stream_.Pass());
+  CreateChannelAndConnect();
+  channel_->SendFlowControl(kPlentyOfQuota);
+  checkpoint.Call(1);
+  connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+  checkpoint.Call(2);
+}
+
+// If for some reason the connect succeeds before the renderer sends us quota,
+// we shouldn't call ReadFrames() immediately.
+// TODO(ricea): Actually we should call ReadFrames() with a small limit so we
+// can still handle control frames. This should be done once we have any API to
+// expose quota to the lower levels.
+TEST_F(WebSocketChannelStreamTest, FlowControlLate) {
+  Checkpoint checkpoint;
+  EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
+  {
+    InSequence s;
+    EXPECT_CALL(checkpoint, Call(1));
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(Return(ERR_IO_PENDING));
+    EXPECT_CALL(checkpoint, Call(2));
+  }
+
+  set_stream(mock_stream_.Pass());
+  CreateChannelAndConnect();
+  connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+  checkpoint.Call(1);
+  channel_->SendFlowControl(kPlentyOfQuota);
+  checkpoint.Call(2);
+}
+
+// We should stop calling ReadFrames() when all quota is used.
+TEST_F(WebSocketChannelStreamTest, FlowControlStopsReadFrames) {
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "FOUR"}};
+
+  EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+      .WillOnce(ReturnFrames(&frames));
+
+  set_stream(mock_stream_.Pass());
+  CreateChannelAndConnect();
+  channel_->SendFlowControl(4);
+  connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+}
+
+// Providing extra quota causes ReadFrames() to be called again.
+TEST_F(WebSocketChannelStreamTest, FlowControlStartsWithMoreQuota) {
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "FOUR"}};
+  Checkpoint checkpoint;
+
+  EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
+  {
+    InSequence s;
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(ReturnFrames(&frames));
+    EXPECT_CALL(checkpoint, Call(1));
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(Return(ERR_IO_PENDING));
+  }
+
+  set_stream(mock_stream_.Pass());
+  CreateChannelAndConnect();
+  channel_->SendFlowControl(4);
+  connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+  checkpoint.Call(1);
+  channel_->SendFlowControl(4);
+}
+
+// ReadFrames() isn't called again until all pending data has been passed to
+// the renderer.
+TEST_F(WebSocketChannelStreamTest, ReadFramesNotCalledUntilQuotaAvailable) {
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "FOUR"}};
+  Checkpoint checkpoint;
+
+  EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
+  EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
+  {
+    InSequence s;
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(ReturnFrames(&frames));
+    EXPECT_CALL(checkpoint, Call(1));
+    EXPECT_CALL(checkpoint, Call(2));
+    EXPECT_CALL(*mock_stream_, ReadFrames(_, _))
+        .WillOnce(Return(ERR_IO_PENDING));
+  }
+
+  set_stream(mock_stream_.Pass());
+  CreateChannelAndConnect();
+  channel_->SendFlowControl(2);
+  connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
+  checkpoint.Call(1);
+  channel_->SendFlowControl(2);
+  checkpoint.Call(2);
+  channel_->SendFlowControl(2);
+}
+
+// A message that needs to be split into frames to fit within quota should
+// maintain correct semantics.
+TEST_F(WebSocketChannelFlowControlTest, SingleFrameMessageSplitSync) {
+  scoped_ptr<ReadableFakeWebSocketStream> stream(
+      new ReadableFakeWebSocketStream);
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "FOUR"}};
+  stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
+  set_stream(stream.Pass());
+  {
+    InSequence s;
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(false, _, _));
+    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(false, WebSocketFrameHeader::kOpCodeText, AsVector("FO")));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(
+            false, WebSocketFrameHeader::kOpCodeContinuation, AsVector("U")));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(
+            true, WebSocketFrameHeader::kOpCodeContinuation, AsVector("R")));
+  }
+
+  CreateChannelAndConnectWithQuota(2);
+  channel_->SendFlowControl(1);
+  channel_->SendFlowControl(1);
+}
+
+// The code path for async messages is slightly different, so test it
+// separately.
+TEST_F(WebSocketChannelFlowControlTest, SingleFrameMessageSplitAsync) {
+  scoped_ptr<ReadableFakeWebSocketStream> stream(
+      new ReadableFakeWebSocketStream);
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "FOUR"}};
+  stream->PrepareReadFrames(ReadableFakeWebSocketStream::ASYNC, OK, frames);
+  set_stream(stream.Pass());
+  Checkpoint checkpoint;
+  {
+    InSequence s;
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(false, _, _));
+    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(checkpoint, Call(1));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(false, WebSocketFrameHeader::kOpCodeText, AsVector("FO")));
+    EXPECT_CALL(checkpoint, Call(2));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(
+            false, WebSocketFrameHeader::kOpCodeContinuation, AsVector("U")));
+    EXPECT_CALL(checkpoint, Call(3));
+    EXPECT_CALL(
+        *event_interface_,
+        OnDataFrame(
+            true, WebSocketFrameHeader::kOpCodeContinuation, AsVector("R")));
+  }
+
+  CreateChannelAndConnectWithQuota(2);
+  checkpoint.Call(1);
+  base::MessageLoop::current()->RunUntilIdle();
+  checkpoint.Call(2);
+  channel_->SendFlowControl(1);
+  checkpoint.Call(3);
+  channel_->SendFlowControl(1);
+}
+
+// A message split into multiple frames which is further split due to quota
+// restrictions should stil be correct.
+// TODO(ricea): The message ends up split into more frames than are strictly
+// necessary. The complexity/performance tradeoffs here need further
+// examination.
+TEST_F(WebSocketChannelFlowControlTest, MultipleFrameSplit) {
+  scoped_ptr<ReadableFakeWebSocketStream> stream(
+      new ReadableFakeWebSocketStream);
+  static const InitFrame frames[] = {
+      {NOT_FINAL_FRAME, WebSocketFrameHeader::kOpCodeText,
+       NOT_MASKED,      "FIRST FRAME IS 25 BYTES. "},
+      {NOT_FINAL_FRAME, WebSocketFrameHeader::kOpCodeContinuation,
+       NOT_MASKED,      "SECOND FRAME IS 26 BYTES. "},
+      {FINAL_FRAME,     WebSocketFrameHeader::kOpCodeContinuation,
+       NOT_MASKED,      "FINAL FRAME IS 24 BYTES."}};
+  stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
+  set_stream(stream.Pass());
+  {
+    InSequence s;
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(false, _, _));
+    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(false,
+                            WebSocketFrameHeader::kOpCodeText,
+                            AsVector("FIRST FRAME IS")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(false,
+                            WebSocketFrameHeader::kOpCodeContinuation,
+                            AsVector(" 25 BYTES. ")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(false,
+                            WebSocketFrameHeader::kOpCodeContinuation,
+                            AsVector("SECOND FRAME IS 26 BYTES. ")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(false,
+                            WebSocketFrameHeader::kOpCodeContinuation,
+                            AsVector("FINAL ")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(true,
+                            WebSocketFrameHeader::kOpCodeContinuation,
+                            AsVector("FRAME IS 24 BYTES.")));
+  }
+  CreateChannelAndConnectWithQuota(14);
+  channel_->SendFlowControl(43);
+  channel_->SendFlowControl(32);
+}
+
+// An empty message handled when we are out of quota must not be delivered
+// out-of-order with respect to other messages.
+TEST_F(WebSocketChannelFlowControlTest, EmptyMessageNoQuota) {
+  scoped_ptr<ReadableFakeWebSocketStream> stream(
+      new ReadableFakeWebSocketStream);
+  static const InitFrame frames[] = {
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText,
+       NOT_MASKED,  "FIRST MESSAGE"},
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText,
+       NOT_MASKED,  ""},
+      {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText,
+       NOT_MASKED,  "THIRD MESSAGE"}};
+  stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
+  set_stream(stream.Pass());
+  {
+    InSequence s;
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(false, _, _));
+    EXPECT_CALL(*event_interface_, OnFlowControl(_));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(false,
+                            WebSocketFrameHeader::kOpCodeText,
+                            AsVector("FIRST ")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(true,
+                            WebSocketFrameHeader::kOpCodeContinuation,
+                            AsVector("MESSAGE")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(true,
+                            WebSocketFrameHeader::kOpCodeText,
+                            AsVector("")));
+    EXPECT_CALL(*event_interface_,
+                OnDataFrame(true,
+                            WebSocketFrameHeader::kOpCodeText,
+                            AsVector("THIRD MESSAGE")));
+  }
+
+  CreateChannelAndConnectWithQuota(6);
+  channel_->SendFlowControl(128);
+}
+
 // RFC6455 5.1 "a client MUST mask all frames that it sends to the server".
 // WebSocketChannel actually only sets the mask bit in the header, it doesn't
 // perform masking itself (not all transports actually use masking).
@@ -2490,13 +2786,9 @@ TEST_F(WebSocketChannelStreamTest, WaitingMessagesAreBatched) {
   write_callback.Run(OK);
 }
 
-// When the renderer sends more on a channel than it has quota for, then we send
-// a kWebSocketMuxErrorSendQuotaViolation status code (from the draft websocket
-// mux specification) back to the renderer. This should not be sent to the
-// remote server, which may not even implement the mux specification, and could
-// even be using a different extension which uses that code to mean something
-// else.
-TEST_F(WebSocketChannelStreamTest, MuxErrorIsNotSentToStream) {
+// When the renderer sends more on a channel than it has quota for, we send the
+// remote server a kWebSocketErrorGoingAway error code.
+TEST_F(WebSocketChannelStreamTest, SendGoingAwayOnRendererQuotaExceeded) {
   static const InitFrame expected[] = {
       {FINAL_FRAME, WebSocketFrameHeader::kOpCodeClose,
        MASKED,      CLOSE_DATA(GOING_AWAY, "")}};
@@ -2974,6 +3266,7 @@ class WebSocketChannelStreamTimeoutTest : public WebSocketChannelStreamTest {
   virtual void CreateChannelAndConnectSuccessfully() OVERRIDE {
     set_stream(mock_stream_.Pass());
     CreateChannelAndConnect();
+    channel_->SendFlowControl(kPlentyOfQuota);
     channel_->SetClosingHandshakeTimeoutForTesting(
         TimeDelta::FromMilliseconds(kVeryTinyTimeoutMillis));
     connect_data_.creator.connect_delegate->OnSuccess(stream_.Pass());
diff --git a/net/websockets/websocket_job_test.cc b/net/websockets/websocket_job_test.cc
index 3d7d4242de..e12ddae81c 100644
--- a/net/websockets/websocket_job_test.cc
+++ b/net/websockets/websocket_job_test.cc
@@ -204,6 +204,12 @@ class MockCookieStore : public CookieStore {
       callback.Run(GetCookiesWithOptions(url, options));
   }
 
+  virtual void GetAllCookiesForURLAsync(
+      const GURL& url,
+      const GetCookieListCallback& callback) OVERRIDE {
+    ADD_FAILURE();
+  }
+
   virtual void DeleteCookieAsync(const GURL& url,
                                  const std::string& cookie_name,
                                  const base::Closure& callback) OVERRIDE {