The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4a6ca8c5929a170798ad87339fb070361c2a3777

commit 4a6ca8c5929a170798ad87339fb070361c2a3777
Author: rsleevi <rsleevi@chromium.org>
Date: Fri Jun 24 03:05:22 2016

Introduce the ability to require CT for specific hosts

Add the ability for TransportSecurityState to determine
if a host/certificate/public key hashes is required to
supply valid Certificate Transparency information. If so,
cause the connection to fail with
ERR_SSL_CERTIFICATE_REQUIRED (even when using QUIC).

To override the TSS policy decisions with custom logic,
this adds the ability to set a RequireCTDelegate on the
TSS, which allows hosts to be opted-in or opted-out of
the CT requirement.

To support this change in enforcement, this also ensures
that both public key pins and CT information are checked
in parallel, but that the PKP error is treated as more
serious than the CT error.

BUG= 621252 
R=davidben@chromium.org, estark@chromium.org, eugenebut@chromium.org

Review-Url: https://codereview.chromium.org/2076363002
Cr-Commit-Position: refs/heads/master@{#401801}

[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/ios/web/navigation/crw_session_certificate_policy_manager.mm
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/base/net_error_list.h
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/cert/cert_status_flags.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/cert/cert_status_flags.h
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/cert/cert_status_flags_list.h
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/http/transport_security_state.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/http/transport_security_state.h
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/http/transport_security_state_unittest.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/quic/crypto/proof_verifier_chromium.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/quic/crypto/proof_verifier_chromium_test.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/socket/ssl_client_socket_impl.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/socket/ssl_client_socket_impl.h
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/socket/ssl_client_socket_unittest.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/spdy/spdy_session.cc
[modify] https://crrev.com/4a6ca8c5929a170798ad87339fb070361c2a3777/net/spdy/spdy_session_unittest.cc

Is there a way to use require-CT right now? Is it expected that the preload list doesn't have a test entry for it?

Is there a way to use require-CT right now? Intentionally, no. And certainly not via preload :)
Is it expected that the preload list doesn't have a test entry? Yes :)

This bug was not about adding it to the preload list. It was about making TransportSecurityState aware of whether it should be required. For the bug this is blocking, TransportSecurityState just needed to be able to reply about the domain policies - there's no need for a preload list.

(And subsequent CLs offer the way to wire it up via the Policy & Prefs subsystems, rather than preload, which offers a bit more flexibility)

Regarding whether it should (which should be a new bug), I think we MUST resolve some of the issues from Issue 620928 first.

Sounds good; just wanted to make sure I didn't miss anything!