cef/patch/patches/net_security_expiration_1994.patch

diff --git net/cert/ct_policy_enforcer.cc net/cert/ct_policy_enforcer.cc
index 42f631e..b02edb0 100644
--- net/cert/ct_policy_enforcer.cc
+++ net/cert/ct_policy_enforcer.cc
@@ -36,15 +36,6 @@ namespace net {
 
 namespace {
 
-// Returns true if the current build is recent enough to ensure that
-// built-in security information (e.g. CT Logs) is fresh enough.
-// TODO(eranm): Move to base or net/base
-bool IsBuildTimely() {
-  const base::Time build_time = base::GetBuildTime();
-  // We consider built-in information to be timely for 10 weeks.
-  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
-}
-
 // Returns a rounded-down months difference of |start| and |end|,
 // together with an indication of whether the last month was
 // a full month, because the range starts specified in the policy
@@ -459,4 +450,13 @@ ct::EVPolicyCompliance CTPolicyEnforcer::DoesConformToCTEVPolicy(
   return details.status;
 }
 
+bool CTPolicyEnforcer::IsBuildTimely() const {
+  if (!enforce_net_security_expiration_)
+    return true;
+
+  const base::Time build_time = base::GetBuildTime();
+  // We consider built-in information to be timely for 10 weeks.
+  return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
+}
+
 }  // namespace net
diff --git net/cert/ct_policy_enforcer.h net/cert/ct_policy_enforcer.h
index 7111970..f751d6c 100644
--- net/cert/ct_policy_enforcer.h
+++ net/cert/ct_policy_enforcer.h
@@ -101,6 +101,17 @@ class NET_EXPORT CTPolicyEnforcer {
       const ct::EVCertsWhitelist* ev_whitelist,
       const SCTList& verified_scts,
       const NetLogWithSource& net_log);
+
+  void set_enforce_net_security_expiration(bool enforce) {
+    enforce_net_security_expiration_ = enforce;
+  }
+
+ private:
+  // Returns true if the current build is recent enough to ensure that
+  // built-in security information (e.g. CT Logs) is fresh enough.
+  bool IsBuildTimely() const;
+
+  bool enforce_net_security_expiration_ = true;
 };
 
 }  // namespace net
diff --git net/http/transport_security_state.cc net/http/transport_security_state.cc
index 5f82c28..0ebee04 100644
--- net/http/transport_security_state.cc
+++ net/http/transport_security_state.cc
@@ -1371,8 +1371,10 @@ void TransportSecurityState::SetShouldRequireCTForTesting(bool* required) {
   g_ct_required_for_testing = *required ? 1 : -1;
 }
 
-// static
-bool TransportSecurityState::IsBuildTimely() {
+bool TransportSecurityState::IsBuildTimely() const {
+  if (!enforce_net_security_expiration_)
+    return true;
+
   const base::Time build_time = base::GetBuildTime();
   // We consider built-in information to be timely for 10 weeks.
   return (base::Time::Now() - build_time).InDays() < 70 /* 10 weeks */;
diff --git net/http/transport_security_state.h net/http/transport_security_state.h
index a55cf62..b984474 100644
--- net/http/transport_security_state.h
+++ net/http/transport_security_state.h
@@ -475,6 +475,10 @@ class NET_EXPORT TransportSecurityState
   // nullptr to reset.
   static void SetShouldRequireCTForTesting(bool* required);
 
+  void set_enforce_net_security_expiration(bool enforce) {
+    enforce_net_security_expiration_ = enforce;
+  }
+
  private:
   friend class TransportSecurityStateTest;
   friend class TransportSecurityStateStaticFuzzer;
@@ -499,7 +503,7 @@ class NET_EXPORT TransportSecurityState
   // IsBuildTimely returns true if the current build is new enough ensure that
   // built in security information (i.e. HSTS preloading and pinning
   // information) is timely.
-  static bool IsBuildTimely();
+  bool IsBuildTimely() const;
 
   // Helper method for actually checking pins.
   PKPStatus CheckPublicKeyPinsImpl(
@@ -590,6 +594,8 @@ class NET_EXPORT TransportSecurityState
   // True if public key pinning bypass is enabled for local trust anchors.
   bool enable_pkp_bypass_for_local_trust_anchors_;
 
+  bool enforce_net_security_expiration_ = true;
+
   ExpectCTReporter* expect_ct_reporter_ = nullptr;
 
   RequireCTDelegate* require_ct_delegate_ = nullptr;